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(57)Abstract: 

PROBLEM TO BE SOLVED: To provide a 
switch including a back plane and packet 
processors. 

SOLUTION: One or more packet processors 
include a multi-level policing logic. The packet 
processor receives a packet and classifiers the 
packet into policing available groups. The 
packet is compared with a bandwidth contact 
defined as to the pohcing available group. A 
policing database is used to apply nest retrieval 
to the packet to identify groups and to retrieve 
policing data with respect to the policing 
available groups. This policing result it 
combined into one policing result by adopting 
the policing result in the worst case, this is applied as recommendations to a disposition 
logic and the disposition is decided to the packet in combination with other disposition 
recommendations. 
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CLAIMS 



[Claim(s)] 

[Claim 1]A packet switching controller which it has an input part which receives a 
packet, and a regulation element which classifies a packet into two or more policing 
available groups, and a packet is compared with one or more bandwidth contracts that a 
policing available group was defined, and generates one or more pohcing results. 
[Claim 2]In order that a regulation element may search the 1st regulated data and the 
2nd pohcing available group identifier including a regulation database, the 1st policing 
available group identifier is applied to a regulation database, The packet switching 
controller according to claim 1 with which the 1st regulated data is appHed in order to 
generate the 1st pohcing result, the 2nd policing available group identifier is applied to 
a regulation database in order to search the 2nd regulated data, and the 2nd regulated 
data is applied in order to generate the 2nd policing result. 

[Claim 3] The packet switching controller according to claim 1 with which it has fiirther 
an arrangement engine which makes an arrangement decision to a packet, and an 
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arrangement engine uses a policing result and other at least one arrangement advice, 
and a policing result makes an arrangement decision to a packet including one or more 
arrangement advice. 

[Claim 4]The packet switching controller according to claim 1 which combines a policing 
result with one result by taking in a policing result in a case of being the worst. 
[Claim 5]A method characterized by comprising the following of processing a packet 
using a regulation element. 
A step which receives a packet. 

A step which classifies a packet into two or more poHcing available groups. 
A step which generates one or more policing results as compared with one or more 
bandwidth contracts of having defined a packet about a poUcing available group. 
[Claim 6] A regulation element applies the 1st policing available group identifier to a 
regulation database including a regulation database, The 1st regulated data and a step 
which searches the 2nd poMcing available group identifier, Use the 1st regulated data 
and a step which generates the 1st policing result, and the 2nd policing available group 
identifier are applied to a regulation database, A method of containing further a step 
which searches the 2nd regulated data, and a step which uses the 2nd regulated data 
and generates the 2nd policing result of processing the packet according to claim 5. 
[Claim 7]A method of processing the packet according to claim 5 that a policing result 
uses a poKcing result and other at least one arrangement advice, and is further 
provided with a step which makes an arrangement decision to a packet including one or 
more arrangement advice. 

[Claim 8]A method of containing further a step which combines a pohcing result with 
one result by taking in a pohcing result in a case of being the worst of processing the 
packet according to claim 5. 

[Claim 9]A method of regulating a data packet which a data communication switch 
received, comprising: 

A step which classifies a data packet into two or more pohcing available groups. 

A step which identifies regulated data related with one or more pohcing available 

groups. 

A step which generates one or more poMcing results which apply regulated data and 

receive a policing available group. 

A step which advises arrangement of a data packet from a poMcing result. 

[Claim 10] A way according to claim 9 a specific policing available group identifies a type 

of application to regulate. 

[Claim 11]A way according to claim 9 regulated data includes information about 
bandwidth restrictions specified about at least one policing available group. 
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[Claim 12]A way according to claim 9 a policing result shows whether a data packet 
should be transmitted. 

[Claim 13] A method according to claim 9 of showing whether a policing result is proper 
although a data packet drops. 

[Claim 14]A method according to claim 9 of showing whether a pohcing resuilt should 
drop a data packet. 

[Claim 15] A way according to claim 9 a step which advises arrangement contains a step 
which creates advice combining a poMcing result. 

[Claim 16]A method according to claim 9 including that a step which advises 

arrangement chooses one of the pohcing results as advised arrangement. 

[Claim 17] A method according to claim 9 of containing further a step which updates 

regulated data based on advised arrangement. 

[Claim 18]A method of regulating a data packet which a data communication switch 

received, comprising: 

A step which creates a regulation database including two or more regulation data 
entries which speciJfy regulated data to two or more policing available groups. 
The 1st regulated data that applies the 1st identifier and is related with the 1st policing 
available group. 

A step which searches the 2nd identifier that identifies the 2nd pohcing available group. 
A step which apphes the 1st regulated data and generates the 1st pohcing result, a step 
which apphes the 2nd identifier and searches the 2nd regulated data, a step which 
apphes the 2nd regulated data and generates the 2nd pohcing result, and a step which 
advises arrangement of a data packet from the 1st and 2nd policing results. 
[Claim 19]A way according to claim 18 a specific policing available group identifies a 
type of apphcation to regulate. 

[Claim 20]A way according to claim 18 regulated data includes information about 
bandwidth restrictions specified about a pohcing available group. 

[Claim 21]A way according to claim 18 a policing result shows whether a data packet 
should be transmitted. 

[Claim 22] A method according to claim 18 of showing whether a policing result is proper 
although a data packet drops. 

[Claim 23]A method according to claim 18 of showing whether a pohcing result should 
drop a data packet. 

[Claim 24] A way according to claim 18 a step which advises arrangement creates advice 
combining the 1st and 2nd policing results. 

[Claim 25]A method according to claim 18 including that a step which advises 
arrangement chooses one of the 1st or 2nd pohcing result as advised arrangement 
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further. 

[Claim 26]A method according to claim 18 of containing further a step which updates 
the 1st or 2nd regulated data based on advised arrangement. 

[Claim 27]A regulation engine for a data communication node with which a regulation 
engine classifies a packet into two or more policing available groups, and generates each 
of a policing result about each of a pohcing available group as compared with each of a 
bandwidth contract of a packet. 

[Claim 28]In order to search the 1st regulated data and the 2nd poUcing available group 
identifier, the 1st pohcing available group identifier is applied to a regulation database, 
A regulation engine for a data communication node with which the 1st regulated data is 
apphed in order to generate the 1st pohcing result, the 2nd pohcing available group 
identifier is apphed to a regulation database in order to search the 2nd regulated data, 
and the 2nd regulated data is applied in order to generate the 2nd pohcing result. 
[Claim 29]A packet processor which it has an input part which receives a packet, and a 
control means which classifies a packet into two or more pohcing available groups, and 
a packet is compared with one or more bandwidth contracts that a pohcing available 
group was defij^ied, and generates one or more policing results. 

[Claim 30]In order that a control means may search the 1st regulated data and the 2nd 
pohcing available group identifier including a regulation database, the 1st policing 
available group identifier is applied to a regulation database, The packet processor 
according to claim 29 to which the 1st regulated data is apphed in order to generate the 
1st policuig result, the 2nd pohcing available group identifier is applied to a regulation 
database in order to search the 2nd regulated data, and the 2nd regulated data is 
apphed in order to generate the 2nd policing result. 

[Claim 31]The packet processor according to claim 29 which is further equipped with an 
arrangement means which makes an arrangement decision to a packet and to which an 
arrangement means makes an arrangement decision to a packet using a pohcing result 
and other at least one arrangement advice including arrangement advice of one or more 
[ pohcing result ]. 

[Claim 32]The packet processor according to claim 29 which combines a pohcing result 
with one result by taking in a policing result in a case of being the worst. 
[Claim 33]A packet switching controller is further provided with a debiting element, 
The packet switching controller according to claim 1 which has a related token bucket 
which at least one bandwidth contract shows available bandwidth under said 
bandwidth contract, and judges DEBITTO [ element / a debiting element uses a policing 
result and / a related token bucket ]. 

[Claim 34]A packet switching controller is further provided with a debiting element. It 
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has a related token bucket in which bandwidth with at least one bandwidth contract 
available under a bandwidth contract is shown, Until it provides with arrangement 
determination a debiting element used in order to judge DEBITTO [ an arrangement 
engine / a related token bucket ], The packet switching controller according to claim 3 
which keeps unchanged DEBITTO [ a debiting element / a packet size / a related token 
bucket], 

[Claim 35]A method of having a related token bucket in which bandwidth with at least 
one bandwidth contract available imder a bandwidth contract is shown, and including 
further judging DEBITTO [ a related token bucket ] using a policing result of processing 
the packet according to claim 5. 

[Claim 36] A method of having a related token bucket in which bandwidth with at least 
one bandwidth contract available under a bandwidth contract is shown, and including 
further judging DEBITTO [ a packet size / a related token bucket ] using arrangement 
determination of processing the packet according to claim 7. 

[Claim 37]Arrangement advice from a policing result and other at least one 
arrangement advice are used, A method of regulating the data packet according to claim 
11 which contains further a step which generates arrangement determination to a data 
packet, and a step which judges whether information about bandwidth restrictions is 
updated using arrangement determination. 

[Claim 38]Arrangement advice from the 1st and 2nd policing results and other at least 
one arrangement advice are used, A method of regulating the data packet according to 
claim 20 which contains further a step which generates arrangement determination to a 
data packet, and a step which judges whether information about bandwidth restrictions 
is updated using arrangement determination. 

[Claim 39]The regulation engine according to claim 27 which judges whether available 
bandwidth is updated based on a policing result under a bandwidth contract. 
[Claim 40]A packet processor is further provided with a DEBITTO means, and it at 
least one bandwidth contract, Until it provides with arrangement determination a 
debiting means to use it in order to judge DEBITTO [ it has a related token bucket in 
which available bandwidth is shown under a bandwidth contract, and / an arrangement 
means / a related token bucket ], The packet processor according to claim 31 which 
keeps unchanged DEBITTO [ a debiting means / a packet size / a related token bucket ]. 
[Claim 41]A data regulation method comprising: 
A step which receives a packet. 

A step which adds a time credit to the 1st token count, and generates the 2nd token 
count. 

A step which applies the 2nd token count and generates a policing result to a packet. 
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A step which judges whether a poUcing result is appHed, a SAIZUDE bit is subtracted 
from the 2nd token count, and the 3rd token count is generated, A step which subtracts 
a SAIZUDE bit from the 2nd token count, and generates the 3rd token count when 
subtraction appHes a poHcing result and it is judged. 

[Claim 42]A step which receives the 2nd packet, and a step which adds the 2nd time 
credit to the 2nd token coxmt, and generates the 4th token count when the 3rd token 
count is not generated, A step which adds the 2nd time credit to the 3rd token count, 
and generates the 4th token coimt when the 3rd token count is generated, A data 
regulation method according to claim 41 which apphes the 4th token count and contains 
further a step which generates a poUcing result to the 2nd packet. 
[Claim 43] A data regulation method comprising: . 
A step which receives a packet. 

A step which adds a time credit to the 1st token count, and generates the 2nd token 
count. 

A step which generates a pohcing result to a packet with the application of the 2nd 
token count. 

A step which generates an arranging result to a packet with the appHcation of a policing 
result, A step which judges whether an arranging result is applied, a SAIZUDE bit is 
subtracted from the 2nd token count, and the 3rd token count is generated, A step which 
subtracts a SAIZUDE bit from the 2nd token count, and generates the 3rd token coimt 
when subtraction applies an arranging result and it is judged. 

[Claim 44]A data regulation method according to claim 43 which applies a pohcing 
result as advice which has other at least one advice, and generates an arranging result. 
[Claim 45] A data regulation method comprising: 
A step which receives a packet. 

A step which adds a time credit to each of a token count, and generates each of the 2nd 
token count. 

A step which generates a pohcing result to a packet with the appKcation of each of the 
2nd token count. 

A step which judges whether a policing result is applied, a SAIZUDE bit is subtracted 
from at least one of the 2nd token counts, and at least one 3rd token count is generated, 
A step which subtracts a SAIZUDE bit from at least one of the 2nd token counts, and 
generates at least one 3rd token count when subtraction applies a pohcing result and it 
is judged. 

[Claim 46]A data regulation method comprising: 
A step which receives a packet. 

A step which adds a time credit to each of a token count, and generates each of the 2nd 
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token count. 

A step which generates a policing result to a packet with the appKcation of each of the 
2nd token count. 

A step which generates an arranging result to a packet with the application of a policing 
result, A SAIZUDE bit is subtracted from at least one of the 2nd token counts with the 
application of an arranging result, A step which judges whether at least one 3rd token 
count is generated, and a step which subtracts a SAIZUDE bit from at least one of the 
2nd token counts, and generates at least one 3rd token count when subtraction apphes 
an arranging result and it is judged. 



DETAILED DESCRIPTION 



POetailed Description of the Invention] 
[0001] 

[Field of the Invention]. Applied for cross-reference this apphcation of related 
application on May 24, 2000. The U.S. provisional application 60th of the name "System 
and Method for Enhanced Line Cards" / No. 206,617, The U.S. provisional application 
60th of the name "Flow Resolution Logic System and Method" for which it applied on 
May 24, 2000 / No. 206,996, And the U.S. provisional application 60th of a name / right 
of priority of No. 220,335 of "Programmable Packet Processor" for which it applied on 
July 24, 2000 is charged. 

All these contents are thoroughly included in this specification by reference. 
This application includes the theme related to the theme currently indicated by U.S. 
patent application 09th of the name "Programmable Packet Processor withFlow 
Resolution Logic" for which it applied on December 28, 2000 / No. 751,194. These 
contents are thoroughly included in this specification by reference. 

[0002] Generally this invention relates to the data communication switch which uses 
speed regulation (rate policing) of the plural level to a data packet for details more 
about a data communication switch. 
[0003] 

[Description of the Prior Art] Since the customer with the qualification for receiving a 
different quality of service (QoS) is V3dng in the available bandwidth of the network 
resource which is a common set, speed regulation is set to the data communication 
network, and is becoming still more important. Usually, speed regulation classifies each 
packet into one policy group, and is attained in each switch by comparing the classified 
packet with one or more bandwidth contracts that the group was defined. It is possible 
to transmit a packet based on the identified bandwidth contract, to attach and transmit 
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the mark of an abandonment eligibility (discard eligible), or to discard. 
[0004] 

[Problem(s) to be Solved by the Invention]The existing speed regulation method usually 
regulates the traffic of data for every port regardless of other information about traffic. 
Usually, when congestion arises, the data exceeding the speed for which the customer 
appUed is marked as it should be dropped, therefore -- a customer is usually based on 
the specific application relevant to data - etc. - based on the type of data, it does not 
have the pliability to drop a certain kind of data selectively. 

[0005] Since the request of doubling a communication network with the demand which 
the customer individuahzed is becoming strong, pliability is increasing, but it is so 
desirable for operation to provide the regulation logic which is not comphcated that line 
speed is reduced remarkably. 
[0006] 

[Means for Solving the Problem]According to one embodiment of this invention, a 
packet switching controller is provided. A packet switching controller contains an input 
part which receives a packet, and a regulation element which classifies a packet into 
two or more policing available groups. A packet is compared with one or more 
bandwidth contracts that a policing available group was defined, and generates one or 
more policing results. 

[0007]According to other embodiments of this invention, a method of processing a 
packet is provided. A packet is received and it classifies into two or more pohcing 
available groups. One or more policing results are generated as compared with one or 
more bandwidth contracts of having defined a packet about a policing available group. 
[0008]According to other embodiments of this invention, a method of regulating a data 
packet which a data communication switch received is provided. A data packet is 
classified into two or more policing available groups. Subsequently, regulated data 
related with one or more pohcing available groups is identified. Regulated data is 
appUed, one or more policing results which receive a policing available group are 
generated, and arrangement (disposition) of a data packet is advised from a policing 
result. 

[0009]According to other embodiments of this invention, a method of regulating a data 
packet which a data communication switch received is provided. A regulation database 
include two or more regulation data entries which specify regulated data to two or more 
pohcing available groups is built. The 1st identifier is apphed and the 1st regulated 
data related with the 1st policing available group and the 2nd identifier that identifies 
the 2nd policing available group are searched. Subsequently, the 1st regulated data is 
appUed and the 1st pohcing result is generated. The 2nd identifier is apphed and the 
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2nd regulated data is searched. Subsequently, the 2nd regulated data is apphed and the 
2nd policing result is generated. Arrangement of a data packet is advised from the 1st 
and 2nd policing results. 

[00 10] According to other embodiments of this invention, a regulation engine for a data 
commimication node is provided. A regulation engine classijfies a packet into two or 
more policing available groups. As compared vdth each of a bandwidth contract of a 
packet, each policing result is generated about each of a policing available group, 
[0011]According to other embodiments of this invention, a regulation engine for a data 
commimication node is provided. In order to search the 1st regulated data and the 2nd 
policing available group identifier, the 1st poUcing available group identifier is applied 
to a regulation database. In order to generate the 1st policing result, the 1st regulated 
data is applied, and in order to search the 2nd regulated data, the 2nd policing available 
group identifier is appMed to a regulation database. In order to generate the 2nd 
poUcing result, the 2nd regulated data is apphed. 

[00 12] According to other embodiments of this invention, a packet processor is provided. 
A packet processor includes an input part which searches a packet, and a control means 
which classifies a packet into two or more policing available groups. A packet is 
compared with one or more bandwidth contracts that a policing available group was 
defined, and generates one or more policing results. 
[0013] 

[Embodiment of the InventionjI, The network environment containing the packet 
switching node 10 is shown by the schematic diagram 1 . A packet switching node can be 
called a switch, a data commxmdcation node, or a data commimication switch. 
Interconnection of the packet switching node 10 is carried out to LAN 30, 32, and 34, 
respectively, and it includes the exchange interfaces 14, 16, and 18 in which 
interconnection is mutually carried out by the data paths 20, 22j and 24 via the 
exchange back plane 12. As for the exchange back plane 12, it is preferred that an 
exchange fabric is included. An exchange interface can be combined with each other 
according to the control routes 26 and 28. 

[0014]The exchange interfaces 14, 16, and 18 Media-access-control (MAC) bridging, 
Internet Protocol (IP) routing, etc., It is preferred to send a packet to each group of LAN 
30, 32, and 34, and to send a packet from there according to one or more operational 
communications protocols. The switching node 10 is only shown for the purpose of 
illustration. Actually, a packet switching node exceeds three or can include less than 
three exchange interfaces. 

[00 15] Drawing 2 i s a block diagram of the exchange interface 50 in one embodiment of 
this invention. The exchange interface 50 can suppose that it is the same as that of the 
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exchange interfaces 14, 16, and 18 of drawing 1 , etc. The exchange interface 50 contains 
the access controller 54 combined between LAN and the packet switching controller 52. 
A medium access controller (MAC) can be included by the access controller 54, for 
example. It is preferred to carry out processing which receives the inbound packet 
which left LAN, carries out the physical layer and MAC layer operation for which it 
does riot depend on a flow to an inboimd packet, and transmits an inbound packet to the 
packet switching controller 52 and for which it depends on a flow. As for the access 
controller 54, it is preferred to receive an outbound packet from the packet switching 
controller 52, and to transmit a packet on LAN. Physical operation and MAC layer 
operation are carried out to an outbound packet, and the access controller 54 can be 
transmitted on LAN after that, 

[0016]In order to cope with the packet which has large various communications 
protocols, the programmable thing of the packet switching controller 52 is preferred. As 
for the packet switching controller 52, it is preferred to receive an inbound packet, to 
classify a packet, to correct a packet according to flow information, and to transmit the 
changed packet on exchange back planes, such as the exchange back plane 12 of 
drawing 1 . As for the packet switching controller 52, it is preferred to receive the packet 
corrected by other packet switching controllers via an exchange back plane, to transmit 
it to the access controller 54, and to advance on LAN. Exit processing (egress 
processing) is performed to what the packet chose, it transmits to the access controller 
54 after that, and the packet switching controller 52 can be transmitted on LAN. 
[0017] Drawing 3 i s a block diagram of the programmable packet switching controller 
100 in one embodiment of this invention. For example, the programmable packet 
switching controller 100 can suppose that it is the same as that of the packet switching 
controller 52 of drawing 2 , As for the programmable packet switching controller 100, it 
is preferred to have the flow analysis logic which classifies and routes the ingress flow of 
a packet. As for a programmable packet switching controller, because of programmable 
character, it is preferred to provide the pliability coping with the protocol and/or the 
updating possibihty of the field that many differ. A programmable packet switching 
controller can be called under the name of the others generally used by a packet 
switching controller, a switching controller, the program packet processor, the network 
processor, the communication processor, or the person skilled in the art. 
[0018]The programmable packet switching controller 100 contains the packet buffer 102, 
the packet classification engine 104, the application engine 106, and the regulation 
engine 120. A regulation engine can also be called a regulation element. Few [ that it is 
more or ] constitution elements can be included by the packet switching controller of 
other embodiments. For example, the pattern-matching module which investigates 
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compatibility comparing a part of packet with a predetermined pattern can be included 
by the packet switching controller of other embodiments. The packet switching 
controller of other embodiments can edit an inbound packet, and the edit module which 
generates an outboimd packet can be included. 

[0019]As for the programmable packet switching controller 100, it is preferred to receive 
the inbound packet 108. Although an Ethernet (registered trademark) frame, an ATM 
cell, TCP/IP, and/or UDP/IP packet can be included by the packet, it is not Kmited to 
this. It is possible for the data imit of other layers 2 (a data MnkTMAC layer), the layer 3 
(network layer), or the layer 4 (transport layer) to be included. For example, the packet 
buffer 102 can receive an inbound packet jfrom one or more media-access-control (MAC) 
layer interfaces via Ethernet. 

[0020]As for the packet which received, being stored in the packet buffer 102 is 
preferred. Packet FIFO which receives a packet and is stored temporarily can be 
included by the packet buffer 102. As for the packet buffer 102, it is preferred to provide 
the packet classification engine 104 and the apphcation engine 106 with the stored 
packet or its part, and to process it. 

[0021]The edit module which edits a packet and is carried forward outside from a 
switching controller as the outbound packet 118 after that can be included by the packet 
buffer 102. the edit program in which an edit module creates an edit program in real 
time " building it is possible for an engine and/or the edit engine which corrects a 
packet to be included. The apphcation engine 106 has a preferred thing which can 
include the arrangement determination of a packet and for which the packet buffer 102 
is provided with the apphcation data 116. an edit program - building - as for an engine, 
it is preferred to use apphcation data and to create an edit program. The outbound 
packet 118 can be transmitted to communication networks, such as Ethernet, via an 
. exchange fabric interface. 

[0022] One of a header-data extractor and the header data caches or both can be 
included by the packet buffer 102. It is preferred to use a header-data extractor and to 
store in a header data cache the field which extracted and extracted one or more fields 
from the packet as extraction header data. Although a part or all of packet headers can 
be included by extraction header data, they are not limited to this. For example, a 
header data cache is able to store the first N byte of each frame in an Ethernet system. 
[0023] As for extraction header data, it is preferred to provide and process to the packet 
classification engine 104 as the output signal 110. The application engine can pass the 
interface 114, and can require and receive extraction header data. Extraction header 
data The MAC Address of the layer 2, 802.1 P/Q tag status, Although it is possible for 
one or more of the sealing (encapsulation) type of the layer 2, the protocol type of the 
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layer 3, the address of the layer 3, a ToS (type of service) value, and the port number of 
the layer 4 to be included, it is not limited to this. At other embodiments, the inbound 
packet whole [ other than it instead of the extracted header data ] can be included by 
the output signal 110. In other embodiments, it is possible to use the packet 
classification engine 104, and to make extraction header data a format suitable for use 
of application engine, and/or to load data to a header data cache. 

[0024]As for the packet classification engine 104, it is preferred that programmable 
microcode drive embedding type processing engine is included. As for the packet 
classification engine 104, being combined with command RAM (IRAM) (not shown) is 
preferred. As for packet classification engine, it is preferred to read and execute the 
command stored in IRAM. In one embodiment, many of commands which packet 
classification engine executes are condition jumps. According to this embodiment, 
classification logic contains the determination tree in which that the packet sorting of a 
different t3^e is shown has a desirable leaf in an end part. As for the brunch of a 
determination tree, it is preferred to be chosen based on comparison with instruction 
conditions and the header field stored in the header data cache. At other embodiments, 
classification logic cannot be based on a determination tree. 

[0025]As for the application engine 106, in one embodiment of this invention, it is 
preferred that two or more programmable sub engine has the pipeline architecture 
currently pipehned linearly. As for each programmable sub engine, it is preferred to 
carry out operation to a packet, it is a "bucket brigade" method and it is preferred to 
transmit a packet to the following programmable sub engine, the start signal 112 is 
used for packet classification engine — the [ of application engine ] — it is preferred by 
starting 1 programmable sub engine to start pipelining packet processing. The start 
signal 112 can include discernment of one or more programs executed with the 
apphcation engine 106. The start signal 112 can include packet classification 
information. As for the programmable sub engine of application engine, it is preferred to 
have the direct access to header data and the extraction field stored in the header data 
cache via the interface 114. 

[0026]As for a decision-making stage, although the application engine can include other 
processing stages which programmable sub engine does not perform, it is preferred to 
perform with programmable sub engine and to increase pliability. At other 
embodiments, the application engine can include other treatment structures. 
[0027]As for the arrangement determination included in the application data 116, being 
provided for the regulation engine 120 is preferred. As for the regulation engine 120, it 
is preferred again to receive one or more regulation ID124. As for the regulation engine 
120, it is preferred to use arrangement determination and regulation ID and to generate 
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one or more regulation advice 122. Regulation advice can be considered as the type of 
arrangement advice, and it is also possible to call it a policing result. It is preferred to 
generate the apphcation data which the apphcation engine 106 is provided with 
regulation advice, and it is used with other arrangement advice, and can include 
arrangement determination. 

[0028] n. The programmable arrangement logic diagram 4 i s a block diagram of the 
packet switching controller 130 which has programmable arrangement logic. The 
packet switching controller 130 can suppose that it is the same as that of the packet 
switching controller 100 of drawing 3. for example. A packet switching controller 
contains the packet buffer 132, the packet classification engine 134, the 
pattern-matching search logic 136, the apphcation engine 138, and the regulation 
engine 166. 

[0029]Application engine contains the sauce searching engine 140, the address 
searching engine 142, and the arrangement engine 144. As for packet classification 
engine, sauce searching engine, address searching engine, and an arrangement engine, 
it is preferred that it is programmable using one or more application programs. That is, 
as for the sub engine of packet classification engine and application engine, it is 
preferred respectively that programmable microcode drive embedding type processing 
engine is included. In other embodiments, it is possible to be hardware, namely, to carry 
one or more of these engines out as a hard- wired logic. The regulation engine 166 can be 
carried out with a hard-wired logic or programmable microcode drive embedding type 
processing engine. 

[0030] As for the packet buffer 132, it is preferred to receive and store the inbound 
packet 146. An inboimd packet or its thing [ providing the packet classification engine 
134 with 148 in part ] of a packet buffer is preferred. As for packet classification engine, 
it is preferred to use the apphcation program currently programmed on it and to classify 
a packet, and it is preferred to provide the apphcation engine 138 with the program 
discernment 152. In details, it is more preferred to provide the sauce searching engine 
140, the address searching engine 142, and the arrangement engine 144 of apphcation 
engine with the program discernment 152. According to one embodiment of this 
invention, the packet classification engine 134 contains the classification logic based on 
a decision tree. 

[0031]It is preferred to use the program discernment 152 and to choose the application 
program executed by each of sauce searching engine, address searching engine, and an 
arrangement engine. As for the application program executed with sauce searching 
engine, address searching engine, and an arrangement engine, it is preferred to be 
selectively chosen based on packet classification information at least. Packet 
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classification information can be provided with program discernment. 
[0032]An inbound packet or its thing [ providing the pattern-matching search logic 136 
with 150 in part ] of a packet buffer is preferred. As for pattern-matching search logic, it 
is preferred that the pattern defined for comparing a part of packet or packet in advance 
is included. For example, both some packet header data, some packet payload data, or 
packet header data and packet payload data [ some of ] can be included by a part of 
packet used for pattern matching. At other embodiments, the pattern defined in 
advance can be existed in the external memory which pattern-matching search logic 
accesses for pattern matching. At other embodiments, a matching pattern can be 
changed by the packet switching controller working. 

[0033]After comparing, it is preferred to provide the appUcation engine 138 with 154 as 
a result of comparison. In details, it is more preferred to provide the arrangement 
engine 144 of application engine with 154 as a result of comparison. In one embodiment, 
only when there is consistency, it is possible to provide an arrangement engine with a 
result. 

[0034]As for the sauce searching engine 140, it is preferred by using the source address 
of an inbound packet and carr3dng out source address search selectively at least to 
generate the arrangement advice 160 to an inbound packet. As for the arrangement 
advice 160, it is preferred that it is dependent on the application program executed with 
the sauce searching engine 140 according to the program discernment provided with 
packet classification engine. As for the arrangement advice 160, it is preferred to 
include the security advice to an inbound packet. 

[0035]In other embodiments, it is possible to use the sauce searching engine 140 and to 
build one or more keys, and it is possible to use this subsequently and to search an 
address table for the source addresses (IPSA etc.) to an inbound packet. Although 
virtual LAN discernment (VLAN ID), application discernment (APP ID), and one or 
more of IPSA can be included by the key, it is not limited to this. It is also possible to use 
one or more keys built with the sauce searching engine 140, for example, to decide upon 
arrangement advice of security advice etc. 

[0036]As for the address searching engine 142, it is preferred to receive the output 156 
fi:om the sauce searching engine 140, The output 156 can include the result of the key 
used in order to search for a source address, and/or search. As for address searching 
engine, it is preferred to execute the application program identified with the packet 
classification engine 134, and to generate one or more regulation identifiers (ID) 168. 
Regulation ID 168 can be selectively based on the destination address search which uses 
the destination address of an inbound packet at least. 

[0037] As for the regulation engine 166, it is preferred to use regulation ID 168 as a key 
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and to access the regulated data of a regulation data table. As for the regulation engine 
166, it is preferred to use the accessed regulated data and to generate one or more 
regulation advice 170. When an arrangement engine uses regulation advice and other 
arrangement advice, it is preferred to generate the apphcation data vsrhich can include 
arrangement determination. As for the pattern-matching result 154, when the 
pattern-matching search logic 136 finds consistency, it is preferred to give priority over 
regulation advice. It is preferred by using regulation advice and choosing the regulation 
advice in the case of being the worst to generate one advice. The regulation engine can 
also carry out an accounting (accounting) function. 

[0038]In other embodiments, it is possible to use the address searching engine 142 and 
to build one or more keys, and it is possible to use this subsequently and to search the 
destination addresses (IPDA etc.) of an inbound packet in an address table. Although 
virtual LAN discernment (VLAN ID), application discernment (APP ID), and one or 
more of IPDA can be included by the key, it is not limited to this. 

[0039]Although the arrangement engine 144 includes security advice of the 
arrangement advice 160, the regulation advice 170, and the pattern-matching result 
154, it is preferred to receive some arrangement advice which is not limited to this. As 
for an arrangement engine, it is preferred to generate the arrangement determination 
162 based on arrangement advice and packet sorting, and/or program discernment. One 
of the arrangement advice can be included by the arrangement determination 162. 
Generally, the pattern-matching result 154 can give priority over the regulation advice 
170, and the regulation advice can give priority over security advice of the arrangement 
advice 160. Although one or more of account data, routing data, and regulated data can 
be included by the arrangement determination 162, they may be some apphcation data 
which are not limited to this. 

[0040]It is preferred to use it for edit of the inbound packet which provides a packet 
buffer with arrangement determination and is provided as the outbound packet 164. It 
is preferred to supply arrangement determination to a regulation engine again for 
regulation and accounting. For example, when an inbound packet is dropped, the 
regulation engine should recognize that. A regulation engine can be included by address 
searching engine at other embodiments. In such a case, as for arrangement 
determination, it is preferred to be provided for address searching engine for regulation 
and accounting. 

[0041] Drawing 5 is a process-flow figure which uses two or more arrangement advice 
and classification information, and generates arrangement determination by a program. 
It is Step 180 and, as for packet buffers, such as the packet buffer 132 of drawing 4 . it is 
preferred to receive an inbound packet, for example. In a packet buffer, it is possible to 
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extract packet header data and to store in a header data cache. 

[0042] Header data can be included by a part of inbound packet or inbound packet, for 
example, it is preferred to be provided for pattern-matching search logic, such as the 
pattern-matching search logic 136 of drawing 4 . It is preferred to generate 
pattern-matching advice at Step 182, as pattern-matching search logic carries out 
pattern-matching search between a part of inbound packet or inbound packet, and a 
predetermined pattern and is shown by Step 188, For example, a predetermined pattern 
can be contained in an internal memory or external memory. According to other 
embodiments, a matching pattern may change dynamically. 

[0043] On the other hand, it is also preferred to provide packet classification engine, 
such as the packet classification engine 134 of drawing 4 . with an inbound packet or its 
part, for example. It is preferred it to be preferred to classify a packet as for packet 
classification engine, and to identify an appUcation program at Step 184, based on the 
classification of a packet. It is preferred to provide the sauce searching engine of 
application engine, such as the application engine 138 of drawing 4 , address searching 
engine, and an arrangement engine with program discernment at Step 186, for example. 
As for program discernment, it is preferred that the application program executed with 
such sub engine is shown. It is preferred to provide sauce searching engine, address 
searching engine, and an arrangement engine with packet classification information. As 
for sauce searching engine, it is preferred to generate security advice at Step 190, and, 
as for a regulation engine, on the other hand, it is preferred to use regulation ID ficom 
address searching engine, and to generate regulation advice at Step 192. 
[0044]It is preferred to provide an arrangement engine with pattern-matching advice, 
security advice, and regulation advice at Step 194. As for an arrangement engine, it is 
preferred to use one or more of the selected appUcation program and arrangement 
advice, and to generate arrangement determination. It is preferred to provide a packet 
bufifer with arrangement determination, to use this, to edit an inbound packet at Step 
196, and to transmit as an outbound packet. It is preferred to supply arrangement 
determination to a regulation engine again at Step 198 for example, for regulation, 
accounting, etc. 

[0045]III. As for a regulation engine, in one embodiment of multilevel regulation this 
invention, it is preferred to use the multilevel regulation logic which regulates the 
traffic which he follows through a packet switching controller based on two or more 
poUcy groups. As for a customer, in its bandwidth contract, it is preferred to specify 
bandwidth appMcable to suitable policy groups and those groups. It is possible to specify 
that a customer pays 1 Gbps of data traffic about a specific port in his bandwidth 
contract in an illustration scenario. The customer can assign a different data flow limit 
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to the subnet of his company. For example, the customer can Umit an engineermg 
subnet to 300Mbps, and can hmit an accounting subnet to 100Mbps. A customer is the 
whole company and can specify that it limits the traffic of a web to 200Mbps. Instead of 
regulating only traffic for every port regardless of the type of traffic, therefore, web 
traffic, It is possible to identify and regulate the traffic which makes an engineering 
subnet or an accounting subnet the source of dispatch based on each threshold. 
[0046]It is also possible to judge QoS operation by the bandwidth contract between a 
service provider and a customer. The QoS operation can identify QoS applicable to the 
traffic which fuffiUs flow conditions. Maximum band width, minimum bandwidth, peak 
bandwidth, a priority, waiting time, a jitter, the maximum cue depth, the maximum 
queue buffer, etc. can be shown by QoS operation. 

[0047]As a part of general solution, a bandwidth regulation function controls 
penetration data speed for every flow, and limits regulating the flow of traffic etc., and 
fabricating is preferred. Drawing 6 i s a block diagram showing regulation of a different 
flow. As for a regulation parameter, it is preferred to be established by defining a 
KOMITTEDDO information rate (CIR) per byte for every time, and defining both of 
KOMITTEDDO burst sizes (CBS) and surplus burst sizes (Electronic Broking Systems) 
per b3rte. As for a packet, it is preferred to be classified namely, marked on the 1st 
bucket (drops proper (DE) bucket) 200 and the 2nd bucket (drops bucket) 202. 
[0048]When a packet is shown with given entry speed, it is preferred to be marked by 
the present balance in each bucket and the relation to CBS and Electronic Broking 
Systems. As for the 1st bucket, it is preferred to maintain abandonment proper (DE) 
balance. As for the 2nd bucket, it is preferred to maintain drops balance. When entry 
speed is smaller than CBS, marking on a packet with transmission is preferred. Entry 
speed is larger than CBS, or although it is equal to it, when smaller than Electronic 
Broking Systems, marking on a packet with DE is preferred. Entry speed is larger than 
Electronic Broking Systems, or when equal to it, marking on a packet with drops is 
preferred. 

[0049] Drawing 7 i s one embodiment of this invention, and is the regulation data table 
250 used in order to regulate a data packet based on two or more policy levels. The 
regulation data table 250 can be stored in the regulation engine which can suppose that 
it is the same as that of the regulation engine 166 of drawing 4 . The regulation data 
table 250 can also be called a regulation database. 

[0050]The regulation data table 250 contains the regulated data which checks the 
current speed of the traffic which he follows through packet switching controllers, such 
as the packet switching controller 130 of drawing 4 , for example. Although the 
regulation data table 250 can be constituted from various methods, it is preferred that 
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constitute as an entry one by one and each entry provides the regulated data 252 
related with the specific pohcy group. As for each regulated' data 262, it is preferred to 
identify by original regulation identifier (ED) / key 254. 

[0051]As for regulation ID254, it is preferred to identify a different policy group who can 
classify a packet. As for each regulation ID254, it is preferred to comprise the customer 
identifier 254a and/or the apphcation identifier 254b. As for a customer identifier, it is 
preferred to identify a specific customer based on a source address, a physical port, etc. 
As fdr the application identifier 254b, it is preferred that it is the internal identifier 
assigned by application RAM based on the type of the application related with the 
packet. Illustration apphcation contains a Web site application, voice-over IP (VoIP) 
apphcation, etc. 

[0052]It is preferred that the following regulation ID256 enables it to identify the pohcy 
group of the addition which telescopic search of a regulation database can apply to 
Paquette. It is preferred to search the regulated data 252 related with those policy 
groups, and to carry out present Paquette's speed check. 

[0053]As for each regulated data 252, it is preferred that the limit of the present 
bandwidth and each policy group's bandwidth identified by regulation ID254 is shown. 
As for the drops balance 252c and the drops proper (DE) balance 252d, it is preferred to 
maintain the count of the quantity of traffic which progresses through the Paquette 
switching controller. It is preferred to advise to carry out DE and the mark which 
transmit present Paquette for the drops balance 252c and the DE balance 252d as 
compared with the drops limit 252e and 252 f of DE hmits, respectively, and to transmit, 
or to drop immediately. As for the drops balance 252c, not **************ing is 
preferred until the DE balance 252d becomes larger than 252 f of DE limits. 
[0054]As for each regulated data 252, it is preferred that the time stamp 252b in which 
the time when the last balance calculation was carried out is shown further is included. 
If the present time and the information on a time stamp are given, it is possible to 
calculate the trajBSc speed in this time by measuring the time which has passed since 
the last balance calculation. The size of the increment of a time stamp can be adjusted 
based on the value of the budget (CIR) 252a currently too maintained by the regulation 
data table 250. For example, the budget value can give a definition as a number of bjrtes 
per time stamp increment at one embodiment of this invention. 

[0055]As for a regulation engine, in the shown regulation data table 250, it is preferred 
to generate the 1st pohcy result which shows arrangement of the packet which carried 
out the speed check 258 or 260 based on 1st regulation ID, and was advised. As for a 
regulation engine, it is preferred to judge whether a packet is regulated based on an 
additional policy group. Therefore, as for a pohcy engine, it is preferred to investigate 
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following regulation ID field 256 and to search the regulated data identified by ID. 
Subsequently, it is preferred to carry out the 2nd speed check 262 to the same packet, 
and to generate the 2nd policy result based on the 2nd speed check. It is possible to 
continue an additional speed check and to carry out based on the value about following 
poMcy ID field 256. In one embodiment of this invention, it is possible to maintain the 
performance of line speed, carrying out each packet pair and performing a maximum of 
four regulation algorithms. In otheir embodiments, it is possible to perform few [ that it 
is more than four or ] regulation algorithms. 

[0056] Drawing 8 i s an illustration flow chart of a multilevel regulatory process. It starts 
at Step 300 and, as for a process, it is [ a regulation engine ] preferred to receive new 
regulation ID to an ingress packet. It is preferred that a regulation engine searches 
with Step 302 the regulated data related with regulation ID. It is preferred that a 
regulation engine calculates new drops balance or DE balance by the following desirable 
formulas at Step 304. 

[0057]By a balance new= balance oid-[budget x(time-time stamp)]+ packet size top 
formula, balance new and balance old, It is preferred to express the new balance to the 
drops bucket or DE bucket related with regulation ID and the present balance, 
respectively. As for a budget, it is preferred to express the budget 252a related with 
regulation ID, such as CIR, Present drops balance and DE balance correspond to the 
drops balance 252c and the DE balance 252d, respectively. As for time and a time stamp, 
it is preferred to express the time and the time stamp 252b of the present when it is 
related with regulation ID, respectively. As for a packet size, it is preferred to express 
the size of the packet currently processed. 

[0058]At Step 306, new drops balance or DE balance is apphed to the drops limit 252e or 
252 f of DE hmits. It is preferred to apply this balance to DE balance until it exceeds DE 
limit. It is preferred to measure DE balance and DE hmit, and as for a regulation engine, 
when DE balance is smaller than DE Umit, it is preferred to make a decision which 
transmits a packet. When DE balance exceeds DE limit, it is preferred to apply this 
balance to drops balance. Subsequently, it is preferred to measure drops balance and a 
drops limit, and when drops balance is smaller than a drops limit, it is preferred [ a 
regulation engine ] to determine to mark with DE and to transmit a packet. However, as 
for a regulation engine, when a drops hmit is exceeded, it is preferred to determine to 
discard a packet immediately. 

[0059]For example, actually, new balance is calculated and it is preferred to rank second, 
to measure DE limit and a drops Umit, and to determine transmission status. As for 
balance, being updated based on a transmission result is preferred. For example, when 
marked on the packet with transmission, it is preferred to update DE balance. That is. 
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as for DE buckets, such as the 1st bucket 200 of drawing 6 , when marked on the packet 
with transmission, being filled is preferred, for example. As other examples, when 
marked on the packet with DE, it is preferred to update drops balance. That is, when 
marked on the packet with DE, drops buckets, such as the 2nd bucket 202 of drawing 6 , 
are filled. DE bucket is already filled at this time. Since both buckets are filled at this 
time as other examples when marked on the packet with drops, DE balance or drops 
balance is not updated, either. 

[0060]It is judged whether regulation ID of the addition shown to the present packet at 
Step 308 exists. When it exists, a process returns to Step 302, searches the regulated 
data identified by additional regulation ID, and generates an additional policy result. 
[0061]It is preferred that a regulation engine notifies a policing residt to arrangement 
engines, such as the arrangement engine 144 of drawing 4, at Step 310, for example, 
and this can be called regulation advice again. In the case where two or more poHcy 
results are available to the packet currently processed, as for a regulation engine, it is 
preferred to choose the most conservative pohcing result, i.e., the poMcing result in the 
case of being the worst, and it is preferred to return the result to an arrangement engine. 
As for an arrangement engine, it is preferred to use arrangement advice of others, such 
as a pohcing result and security advice, and a pattern-matching result, and to generate 
arrangement determination. 

[0062]As for a regulation engine, at Step 312, it is preferred to receive the notice of 
arrangement determination from an arrangement engine. The arrangement 
determination can include the determination about whether the packet was transmitted, 
or it marked with DE and transmitted, or it dropped. It is preferred to judge whether 
the regulation engine transmitted the packet at Step 314. When that is right, each 
regulated data related with the transmitted packet is updated at Step 316 reflecting the 
traffic which increased, 

[0063]As for the value updated in a regulation database, it is preferred that DE balance, 
drops balance, and one or more of a time stamp are included. As for DE balance, being 
updated when smaller than DE hmit is preferred. Drops balance has DE balance larger 
than DE hmit, and it is preferred to be updated when drops balance is smaller than a 
drops limit. It is preferred that neither is updated, when both balance is over each Mmit. 
For example, when packets, such as a frame, are dropped for the arbitrary reasons 
shown by arrangement determination in all cases, it is desirable to add the value of a 
"packet size" (size of a packet) to neither of the balance. Thus, it is preferred that an 
exact count is created about the packet which carries out ingress to an exchange fabric. 
[0064]IV. In one embodiment of flow speed regulation this invention provided with 
deferment debiting, it is preferred to keep unchanged (deferred) and to use debiting 
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with flow speed regulation. Drawing 9 i s the block diagram 400 of the packet switching 
controller which is provided with deferment debiting and has flow speed regulation in 
this embodiment of this invention. Deferment debiting can be used together with 
multilevel regulation logic. 

[0065]As shown in drawing 9, the field extracting apparatus 402 receives a packet, 
keeps flow information unchanged with the general decision logic 408, provides the 
DEBITTO regulation logic 410 with it, and provides the packet size computing device 
404 with a packet. The packet size computing device 404 provides the packet size buffer 
406 with an output, and provides the packet buffer 412 with a packet. It keeps 
unchanged with the general decision logic 408, and the DEBITTO regulation logic 410 
provides the arrangement logic 414 with general decision results and a policing result, 
respectively. Arrangement logic provides the packet buffer 412 with an arranging result. 
The arrangement logic 414 keeps an arranging result unchanged, and provides the 
DEBITTO regulation logic 410 with it, and this uses an arranging result and packet size 
information for deferment debiting, 

[0066] Since the customer with the qualification for receiving a different quahty of 
service is vying in the bandwidth of a share network, flow speed regulation is becoming 
still more important in data-communications networking. Usually, flow speed 
regulation compares the packet within a flow with one or more bandwidth contracts 
that the flow was defined, (i) include the thing which discard; (for example, the packet - 
the abandonment - it marks that it is proper) or the (iii) packet which recognizes a 
packet by;(ii) conditional [ which recognizes a packet without conditions ] and which is 
attached [ it is alike and ] and solved. 

[0067]Usually, a flow speed regulation method maintains a "token bucket", and 
expresses available bandwidth under each bandwidth contract now. Usually, it is 
considered that a packet is in the bandwidth contract of a flow when sufficient token 
exists in the bucket currently maintained for the contract now, and when sufficient 
token does not exist in the bucket currently maintained for the contract now, it is 
considered that the packet is over a contract. A token is added to a bucket via a time 
credit as time passes. A token is subtracted from a bucket when a packet is recognized 
via packet size DEBITTO. 

[0068]The general formula used ia order to maintain the state of a token bucket is as 
follows. 

[0069] a TCnew=TCoid+C-D top type ~- TCnew= - new token count TCoid= - it is an old 
token count C= time credit D= SAIZUDE bit. 

[0070]It is possible to apply one instance of a token bucket characteristic equation, and 
to carry out easy recognition/abandonment regulation determination as follows. When 
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arriving for regulation determination of the packet within a flow, the time credit C 
reflecting the time which has passed since the regulation determination about a 
precedence packet is added, By subtracting the SAIZUDE bit D reflecting the size of the 
present packet, new token count TCnew to the bandwidth contract of a flow is calculated. 
Subsequently, new token count TCnew to the bandwidth contract of a flow is compared 
with zero. When new token coimt TCnew is larger than zero or equal to zero, the present 
packet is in a bandwidth contract and is recognized. When new token count TCnew is 
smaller than zero, the present packet is over a bandwidth contract and is discarded. 
[0071]It is possible to apply two instances of a token bucket characteristic equation to 
the same flow, and to provide the policing result refined more. For example, it is possible 
to maintain independently an abandonment token bucket and an abandonment proper 
token bucket to a flow. In that case, although new abandonment token count TCnew-de is 
larger than zero or equal to zero, when smaller than zero, the present packet has new 
abandonment token count TCnew-a in an abandonment bandwidth contract, biit it is over 
an abandonment proper bandwidth contract, therefore, the present packet — 
abandonment (since it is over an abandonment proper bandwidth contract) - it is 
recognized on condition that it is marked that it is proper (since it is in a drops 
bandwidth contract). Such a 3 level "double token bucket" regulation method is 
indicated to IETF Request for Comment 2697 of the name "A Single Rate Three 
ColorMarker." 

[0072] applying a token bucket characteristic equation and regulating high-speed data 
flow with the packet switching controller of present condition art, subtracted the 
SAIZUDE bit D which is reflecting the size of the present packet especially, and it was 
faced with practical difficulty about instruction of making a regulation decision after 
that. To the 1st, the size of the present packet can be determined in the exterior of 
regulation logic. Therefore, the SAIZUDE bit D to the present packet may not be 
available when a regulation decision is made. The last arrangement of a packet may not 
be directed to the 2nd only by regulation determination. Therefore, the total (deduction) 
of the SAIZUDE bit D to the present packet may demand to be behind reverse. The 3rd 
will consider that the present packet exceeds a bandwidth contract, even when token 
sufficient when the SAIZUDE bit D to the present packet makes a regulation-after total 
decision to accommodate most (they are not all) packets exists in a bucket. 
[0073] Since data transfer speed is more nearly exponentially [ than the maximum 
packet size ] large by a high-speed controller, the practical advantage which deducts the 
SAIZUDE bit D to the present packet, and makes a regulation decision after that on the 
other hand is not clear. As long as the SAIZUDE bit D is created by within a time 
[ behind moderate ], it is a grade to which it is on the title to a flow at most, and a 
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temporary bandwidth breach of contract is carried out. 

[0074] In this embodiment of this invention, it is preferred to conquer the 
above-mentioned difficulty about using deferment debiting and regulating high-speed 
data flow with the apphcation of a general token bucket characteristic equation. 
[0075] For example, it is possible to provide the data regulation method. The data 
regulation method, ; which receives a packet - a time credit being added to the 1st 
token count, and. ; which generates the 2nd token count the policing result to; packet 
which generates the policing result to a packet with the application of the 2nd token 
count is applied, a SAIZUDE bit is subtracted jfrom the 2nd token count, and the 3rd 
token count is generated. Or it is preferred that what a SAIZUDE bit is not subtracted 
from the 2nd token count, and the 3rd token count is not generated for is included. 
[0076]The data regulation method can have what the policing result to the 2nd packet is 
generated for with the application of the; 4th token count which adds; time credit which 
receives the 2nd packet to the 2nd token count, and generates the 4th token count. 
[0077]It is possible to provide other data regulation methods. This data regulation 
method, ; which receives a packet - a time credit being added to the 1st token count, 
and. ; which generates the 2nd token count - with the application of the 2nd token 
count. ; which generates the pohcing result to a packet - the arranging result to; packet 
which generates the arrangiag result to a packet with the apphcation of the policing 
result to a packet is applied, a SAIZUDE bit is subtracted from the 2nd token count, and 
the 3rd token count is generated. Or it is preferred that what a SAIZUDE bit is not 
subtracted from the 2nd token count, and the 3rd token count is not generated for is 
included. 

[0078]It is possible to apply a policing residt in this data regulation method as advice 
which has other at least one advice, and to generate the arranging result to a packet. 
[0079]; in which other data regulation methods receive a packet - a time credit being 
added to each of a token count, and. ; which generates each of the 2nd token count 
with the application of each of the 2nd token count. ; which generates the policing result 
to a packet - the pohcing result to a packet is apphed, a SAIZUDE bit is subtracted 
from at least one of the 2nd token counts, and at least one 3rd token count is generated. 
Or it is preferred that what a SAIZUDE bit is not subtracted from at least one of the 
2nd token counts, and at least one 3rd token count is not generated for is included. 
[0080] Other data regulation methods, ; which receives a packet - a time credit being 
added to each of a token count, and. ; which generates each of the 2nd token count - 
with the application of each of the 2nd token count. ; which generates the policing result 
to a packet - with the application of the policing result to a packet. ; which generates 
the arranging result to a packet - the arranging result to a packet is applied, a 
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SAIZUDE bit is subtracted from at least one of the 2nd token counts, and at least one 
3rd token count is generated. Or it is preferred that what a SAIZUDE bit is not 
subtracted from at least one of the 2nd token counts, and at least one 3rd token count is 
not generated for is included. 

[0081]The following data regulation methods show the flow speed regulation provided 
with deferment debiting in one embodiment of this invention further. 
[0082]The data regulation method adds; time credit which receives a packet to the 1st 
token coimt, ; which generates the 2nd token count policing result which generates 
the poUcing result to a packet with the apphcation of the 2nd token count, [ apply and ] 
It is preferred that what subtract a SAIZUDE bit from the 2nd token count, and the 3rd 
token count is generated, or a SAIZUDE bit is not subtracted from the 2nd token count, 
and the 3rd token count is not generated for is included. 

[0083]As for this data regulation method, it is preferred that what the policing result to 
the 2nd packet is generated for with the application of the; 4th token count which adds 
further; time credit which receives the 2nd packet to the 2nd token count, and generates 
the 4th token count is included, 

[0084] Other data regulation methods, ; which receives a packet a time credit being 
added to the 1st token count, and. ; which generates the 2nd token count - with the 
apphcation of the 2nd token count. ; which generates the poMcing result to a packet --; 
arranging result which generates the arranging result to a packet with the application 
of a policing result is apphed, a SAIZUDE bit is subtracted from the 2nd token count, 
and the 3rd token coimt is generated. Or it is preferred that what a SAIZUDE bit is not 
subtracted from the 2nd token count, and the 3rd token coimt is not generated for is 
included. It is possible to generate an airanging result with the apphcation of a poUcing 
result as advice which has other at least one advice. 

[0085] Other data regulation methods, ; which receives a packet - a time credit being 
added to each of a token count, and. ; which generates each of the 2nd token count - 
with the apphcation of each of the 2nd token count. ; which generates the poMcing result 
to a packet - a pohcing result is apphed, a SAIZUDE bit is subtracted from at least one 
of the 2nd token counts, and at least one 3rd token count is generated. Or it is preferred 
that what a SAIZUDE bit is not subtracted from at least one of the 2nd token counts, 
and at least one 3rd token count is not generated for is included. 

[0086] Other data regulation methods, ; which receives a packet - a time credit being 
added to each of a token count, and. ; which generates each of the 2nd token count 
with the application of each of the 2nd token count. ; which generates the policing result 
to a packet --; arranging result which generates the arranging result to a packet with 
the application of a policing result is apphed, a SAIZUDE bit is subtracted from at least 
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one of the 2nd token counts, and at least one 3rd token count is generated. Or it is 
preferred that what a SAIZUDE bit is not subtracted from at least one of the 2nd token 
counts, and at least one 3rd token count is not generated for is included. 
[0087]Probably, there is no difficulty in devising a modification gestalt in any way, 
without never deviating from the range and pneuma of this invention, if it is a person 
skilled in the art, although this invention was explained about a certain specific 
embodiment. Therefore, this invention should understand that it is possible to perform 
by the method except having explained in detail. Therefore, it should be considered that 
this embodiment of this invention is iUustration-like at all points, and is not restrictive, 
and the range of this invention is shown by not the above-mentioned explanation but an 
attached claim and equivalent. 



DESCRIPTION OF DRAWINGS 



[Brief Description of the Drawings] 

[Drawing li lt is a figure of the network environment containing a packet switching 
node which uses one embodiment of this invention. 

[Drawing 2] It is a block diagram of the exchange interface in one embodiment of this 
invention, 

[Drawing 31I t is a block diagram of the programmable Paquette switching controller in 
one embodiment of this invention. 

[Drawing 4]I t is a block diagram of the packet switching controller which has 
programmable arrangement logic in one embodiment of this invention. 
[Drawing 51I t is a process-flow figure which can be set to one embodiment of this 
invention and which generates arrangement determination by a program using two or 
more arrangement advice and classification information. 

[Drawing 61I t is a block diagram showing the process of marking a packet on a different 
classification. 

[Drawing 7ll t is a regulation data table used in order to regulate a data packet based on 
two or more policy levels which can be set to one embodiment of this invention. 
[Drawing 8] I t is a flow chart of a multilevel regulatory process in one embodiment of 
this invention. 

[Drawing 91 It is a block diagram of the packet switching controller which has the flow 
speed regulation provided with deferment debiting in one embodiment of this invention. 
[Description of Notations] 

100 Programmable packet switching controller 
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102, 132, and 412 Packet buffer 
104, 134 packet classification engine 
106 and 138 Application engine 
120 and 166 Regulation engine 
122 and 170 Regulation advice 
124 Regulation ID 
130 Packet switching controller 
136 Pattern-matching search logic 
140 Sauce searching engine 
142 Address searching engine 
144 Arrangement engine 
146 Inbound packet 

148 and 150 An inbound packet or its part 
152 Program discernment 
154 Pattern-matching result 
156 Output 

160 Arrangement advice 

162 Arrangement determination 

164 Outbound packet 

168 Regulation identifier 

200 The 1st bucket (drops proper (DE) bucket) 

202 The 2nd bucket (drops bucket) 

250 Regulation data table 

252 Regulated data 

252a budget (CIR) 

252b Time stamp 

252c Drops balance 

252 d Drops proper (DE) balance 

252e Drops limit 

252f DE limit 

254 Regulation identifier (ID) / key 

254a Customer identifier 

254b Application identifier 

256 The following regulation ID field 

258 and 260 Speed check 

262 The 2nd speed check 

402 Field extracting apparatus 



404 Packet size computing device 

406 Packet size buffer 

408 General decision logic 

410 Deferment DEBITTO regulation logic 

414 Arrangement logic 

* NOTICES * 

JPO and INPIT are not responsible for any 
damages caused by the use of this translation. 

1. This document has been translated by computer. So the translation may not reflect 
the original precisely 

2. **** shows the word which can not be translated. 
3.1n the drawings, any words are not translated. 
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x>>'> 14 0. ^5fe^^:c>>S^> 142. *5cfcD12g 

x>^;?> 1 4 4^^ti^. /s^^r^i; F^SHx>-:;>>, v-x 
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¥mW}MiA^mmMs.:ytyy^'^t^Ct^m^h^\ fife 
UrSUS^'SC i7&i^"prtBl?4)^o *I$IJ:c>S^> 1 6 6 

[0 03 0 ] f>'>'^:':7T 1 3 2^*. F 

h 1 4 6 ^Sft*5<t D^Wft-r-S C blK 

14 0. ^5fe^*x>S» 14 2. 4-d j:0^i2gx>s;^> 

1 4 4 (icmm^?>c tmf^ u ^^bjo— 

Ti*. ^^^y h^55^Wx>SP>l 3 4^^. ^^*&C«-^< 

10 0 3 I] y'u^^'yAmmibz^imbx. v-:^ 
x>i>>, *5cfcD^l2®x>s;^>-eiltf"r€>r:7"y^->' so 

h:0^«W*Kt*. >^'P^*^AIiSiJ<f:ft5Cti«'rSC6:?&^Rr 
[0 03 2] Sfc. ^-^^v V^-^vy y\%. ^>^^^^>F 
ffll 3 6«j6fit'r'SC<t:^«SUl^o 

[0 0 3 3 ] i\m^mkhic%.. mtoM^ 1 5 4^t 

7'ij>$r-^>a>x>2;^>l 3 8 0cM*'r^Ci::^W$L/ 50 
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H>x>s^>cDi2gx>e^> 1 Ac ttm 

[0 0 3 4] y-Xjl^^X>f^>14 0». -f>^^^^> 
F>'^°'^^^;; KDV-XT FUXJ&ffiffltr. V-XTFW 

^ys^'i;^ F^>-^ V htcM^^iegsft^ 1 6 0 ^^m-^ 

Ct:^m*Li^K $/c. lagfillS 1 6 0 ^^N'^^^'FiS^ 
ax > tcd: o r ffitt ^ n^^c P i5f ^ A»J5c«e o r 
y-;;^Siis^x>5;^> 1 4 or^tf ^ti^^cT^'U ^-^>3 
>y*p^J^^A5cfSI?*r^c<h;&5»SUi>. ieg«6#l 6 

0^*. -^>/^'»^7>F^^'^*:' h CC^-rS-fe* ^ U SilS 

[0 0 3 5 ] m<DmmW3x^t. y-x^^x>e;?> 1 

:/;l/TH'>>^^*^?>F>'^•^>:' hOc^f^^y-XT Fi/X 
(I PSA:^j:^) ^gg^-r^Ci^^pJIIt^^So 
kt. mMLANm^l (VLAN I D) . 
B>m^i (APP I D) . *5J:C;^I PSAtDl-^Sfc 

CDTi^Jfel^o ^/c. y-Xgg^X>-:P>l 4 OOCJ:-:3T 

if;i/Fstifci-^sfc^*a^<D=^^-*ffiraL-c. m^u 

[0036] %5teSg*x>S/> 142^^. y-XgiiSlx 

>s;^>i 4 07&^6ffl:^ji bd^^m^^ctmmb 

(±1:^3 15 6^^. y-XT FU'X^^^f 'S>/cdf)^cffi 
fflT 4^ -feci: C>VS i^c^*l^^cOite:^^$ti^ t: <t pffg 
t?*So %51^^x>$;?>t^, F55^^:c.>^:»l 
3 4 oci: o Tii;3iJ§ nfcT y* U ^ -i'^ H > y'p A ^ 

^^mr^ ct^m^ ut^o mm iBiesu. ^ >>'^* 

^> F^^'^^:^ hCD^5feT F W'X^igfla'r ^^5feT FUX 
[0 03 7 ] *i$IJx>5;^> 166^*. »J I D 1 6 8 * 

WLommm^ i ? o ^mm-^ c ^i^^^^g^* isgx 

5 4 tt. *I§lM#OCffi$fe^ ^ C <h L l^o *Ift«SiJ^ 

^ffiffl U r . ;SM(D«'&CD«*IJSIl^^3lJR*r S c i i: 

m:t,y^J-^U. ^it (accounting) M^^m 
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[0 03 8] mommmpMTu. ?H^g^*x>iP> 1 4 

,«LAN»J (VLAN I D) > TV^} ^-l^ ml^Wt 
m (APP I D) . *Jj:DfI PDA©loiSfct*»|^ 

[0 03 9] iBgi>J^> 1 4 4tt. IHMSil^l 60© 10 

"^^^^j^-tm^. msm^iio. *i<i:ovN-^?->s 

Aiispca-^i^-c. laM^ffi 1 e 2 ^^ig-rsc i 

U l»= leg^lS 1 6 2 tt. IBgtll^© 1 o^^tp 

1 7 0 ic^-r?> c ij&snjtg-c* f3 . mm 
Wi^it. iegt&# 1 6 0 ©-fe^ y 7^ Mr#(cs^-r -S) 

CiJ&s-pJtl-Cib-So mmW:Ml 6 2«. ^1+7=" 3?. g 20 

mn^^-~ ^ V J: iytji^f*- ^ © i 

[0 04 0] i3M^3e%''^•'>•-J' F'''<->:7r«:Si#lL.> T 
-i? Fv'^■'^^.:. F 1 6 4i Ur^fftStlS 

2, FA5 FP -yt^'Sn-Sit^ *IM:i^>5»»> ^©Ci 

[ 0 0 4 1 ] la 5 », «^©iBgiliei^®m«%ffiffi 

L/r> i3g^*:7*Pe/^A-e^^-r-5:7'a-l2;^©SiEn 
El-Cab-So y^T-f:7*l 8 0-e, mtf. m4rO->-^^y h 
J^vVr 1 3 2 E<DJ^^ F y r >>'^*'i? > 
F>'>-^-y F*^«'r5C<b*3»tL.t,», F>'^5':=' 

[0 04 2] -^>^-?>f >F^^'■5r^» F F 

J-^^'j F^/cK'f>>'^'"i7> F^A'^^-:/ F©— SPi. if^© 
>'';3Z"><!:©W©>'N*^?">M-^^^=&*itL.T. Xt'S' 

8 8-es^snt:t,iSJ;^{c. ^-i^-y^kWs^^^ 

m-r^ctt^m-^bi^K ifS©^^•^->^*, 1*1 

a3^-=euSfctt?fSM*yK:$t?c:<!:*^Bjtg-c*S. fife 50 
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©*JifeJi$^t?tt. ttWKS^bt-SWtl 
14/55 $)€.o 

[0 043] — >^^'•i?> F>'^•^^ y F */ctt^©— 
i|5%v 04©^^•^^ F^fflx>5P> 1 3 4^C 

a\ ^A-^r F:»«x>S^>{Cfl#t-rS C i Uft 
ysf-vVl 8 4-C. F^«x>S»tt, /N'-Jr-:, F 

c b < . ^N-a- -^^ F ©^atca-cJi* 

04©T7'y-5r-»^a>x>s;'> 1 3 8JS:i\ y:/^)^ 
-j.'a>x>5;^>©v-xBgf^x>s;'>, %3fefii^x> 

y'oi^^AiigiJiJ. cn6©l?-:?'x>i;»>t?^f-r.&r 

7'y-5r-Va>:/Pi^-7A*^-rCt3!l5»S l/l*. S 

y 7- m^^^m- a c i b < > -:&*iiijx>>? 
%$fe^«x>5;'>*:>6©a$iJi D^ffifflur. X 

T- -^^ 1 9 2 ■C«liftll§^^-r 6 C iJ&Sjif $ ut,^. 
[0 044] 9 4-C. -fe 

=^^^y^-flft#. fcj:t>m»«^*iBax>s;'>KJitt 

•r-5C<«;*WSUt,»o iBgx>SP>«, M3E/?l^fcT7'y 
iJ^-VaVv'-a i/^A<«:i3g»fe©l -:>^fc{*«^*ffi 

;£>'^•^^^, F 7 T(CSi#fcU> cn^rffifflOT^ Xf^s* 
•flQQX. >>'^*'^7>FA-^5' F*ifH*bt:. T>f F 

F/^•->- 5- FibrjMfi-rSCt^WaL'l:'. S 
fc> ■01];^ , »J*3 J: y>'^tf i^C t'ODfcHiiC . X 7- ^ 1 
9 8 -C, lEg^S^ WKSiftlJx Kft^gf S C i *s 

[0 045] III. 

^=j>Fcf-^'S:a-o-C3ttf F^7^ ^^i'^^^rojjfy 

^mmt?>ct-fymiibiK iiStt. a»©®«iiii*^ 

{c*il>T. jtW^c^ y i'-i^;b-:7'i-?-n6©i^^i'-:7' 
#S©jj<— FK'Olit:, 1 Gb p s©7'— F97 

(DV-y^^'j F{CSflOS-CSCi*SnJ«M-C*-5„ m«> 
x>j;'xTy>i^-9-:/*f F*3 0 OMbp s 

CCPS^L. ^ft-y-^^^ •^'F^lOOMbps icpi^rs 

<i;^:/©F7:7-f -ji'^Z OOMbp sicm^-t^tiU 
^ -Y :7'(cM^^c < . F fitoc F ^ 7 ^ 5/ i?©**^Mf)J 
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[0046] se.{c. •t?--b';^:fp^-J-Y^<i:)B§:i<D^ 

©^^ipi^il^Jfe: J: D , Q o S Kif'P^W^-r 5 C i fcWtl 

i^icmm'^mts: Qo s ^asur-s c ttmm-c$>?,, q 

oSBftfPt*. «Aw«*i, i^/h^Wi. f-^'^^ifi^ 

[0047] ^fesiti*i*jiitgtt. -mirmmm<!:)-m 

5 f f--;- FfffSaK (C I R) ^•&mh. ^OTcn? y 
■5^5; Mf-ZX (CBS) M^-^:^ 

(EBS) h#fi-e^«-rsc:i{c<i:o 

( Fa (D E ) y h ) 2 0 0 t02 /n'^t- 20 

[ 0 0 4 8 ] /^•^r h *S0f-^(DiiAa*t:a^§ n^S i 
#x hrt<D31ftCD-'^'^>Xi, CBS*5J:D'E 

Ul^. mi^^^rv hW. JS^*& (DE) 

^X^lfiJ^t-SCiTSWaLl^o jiAaiK5&sCBSJ;D 

ilAaiJK*5CBS J;«)A#t^*^Sfctt^n(c^Ul> 30 
EBSJ:«34nSI»«^v J^'ryVKIiEL'7'-i>r 

^ct-^m$ViK jiAaa*sEBS J:f3:A:^i,^*^ayc 

[ 0 0 4 9 ] EI 7 tt. imm(D-mMm:ri. asj©*t 
(c^gffl-r smijT^- 7— p^Jb 2 5 0 ■e*>a, aWy"- 

^f7^-:/jrl'2 5 OK. S4CD»Jx>y>> 1 6 6 ilHil 

J&3nJ^-e*-5. gfc. ^IjT^-^f— :/;U2 5 0K. Si 40 

[0 05 0] JIftlj7=- a? f-r^JU 2 5 0 H 
A(Oi^^ -J h3Cfa3> 1 3 Oi^i:^V^•^i» h3g^ 

=i>ha-'7*a-5t:jitf F^7^ s- i'©^ffiSIR*g=- 

x> F U i UT«^U> F #^cOsj< i'" 

i/jl'-:/(cMa#W6n-ri,»S*iW^-:S? 2 5 2 4«« 

mmhm- (lD)/^-254icj:o rilSiJ^^ c i /d^ 50 
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[0 05 1 ] *I$IJ I D 2 5 4». -'■{^r F^^^W-T-SC 

im^^ &^SilJ I D 2 5 4 1I§^)3II^=•2 5 4a 

fccJ:tK/*?c«T>'*';d^"J>'a>m«IJ^2 5 4b*^6« 

m: ti-s c i5&s»s b V "X r F u 

«l;H-F^ci'{c»-r?t,»-c> #^©IM«%»J-r5 

P (VoIP) T:7*yi5r-Sya>it£i;&^tS'„ 
[0052] ;^:©*I»IJI D2 5 6{Cj;9. mmv"-^^ 

■ri,iSSi«7^-4?2 5 2;|r^*Ur. ^^E©>'^•->■^' F© 

[0 05 3] ^•SifljT'-^f 2 5 2 ^&©®«*i. Ife 
DS(C*lf(II D2 54fCJ:oTi^lJStlfc&5Ky;^-i';l' 
-^•©^^lB©Rg)K*^-r C <!:*S*f S Ul^o Fci V'n 
■7>J^2 5 2 ci FP-:'7'»# (DE) >'^'^>X2 5 2 
d«. ^>--ir-, F5^3>Fn"^=&aorjltjF-7-7-/ 
•;;i'©S©;?7'?>F*lt}#-r-5Ci3!)5?!faL'l\ FPi- 
7V^'•7>;^2 5 2 c ^DE^^'^>;^2 5 2 ci%> -g-tl-e 
n F a 7'Rlg2 5 2 e JcD^D ERBS2 5 2 f iibS^ 
Ur. ^tiE©>'^•^^■;, F^K^M-r-S. DEiv-i^^feUr 
fejl-r^, $fc«B|lffi{cFn-;':7"-r?.Ci^Sii^-rSC 
i/5WSUl^„ FP •?7VS^>X2 5 2 ctt. DE>'^*•5 
>;^2 5 2 dJ5SDERaK2 5 2 f J;«3:!ltlr < ^•SS-C> 
^ > y ^ > F S tl I i C i 355Sf t L/ 1 ^ 

[0 054] #»J7"- ^ 2 5 2 tt, 2 6^C. «^*©^^• 
^>:^tf-#*^J»§tlfc^ra*^-r^f'f AX;Sr>'3^2 5 

btcmm=s:wmbx. c©^p^4i© f ^ ^ -f ^ ^'aa* 

ft#f SCi35SnJ#|-e*S„ ^^-r A:^:5^>■7•©ii^©•9• 
-^X{*, ^»D»lj5=^"^7--:/JL'2 5 o^c^i^stit: 
t,^.S>'^'2;'x F (C I R) 2 5 2 a©»cS'5l,^r, 15 

^BJ©— J|)feJ^®t?«. ^^-^AX^^>:/ii^*fc^)©''^* 
Fl^iL/T^tt-rSC:i*SnI«|-C*5. 
[0 05 5] ^L:fcaftl|f'-^f^->^;l'2 5 0-CK. Si 

2 5 8afct*2 6 O^&^SbT. gj^L/c-'S-Jri. h©i3 

S6(c. siftii3:>i»«. -'N-^r.;, F*Jiisn©>i<y^'-i^ 
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d< y 1 D -7 ^ -;L' K 2 5 6 dcmt-^yimcm^^^xm 

[0 05 6 ] ms^t. v;i/^u-<;i'^MM:^'n'feXCDfiJ^ 

20 

[0 05 7] e w =>'>^-5^>Xo , ^ - [^^'^ 

/d^D E ^^^^ b CC^f^-r ^if U l^Ts i^iftCDA^ 

«§IJ I mzMW^^^h\lX\.^hn'i>:^ h 2 5 2 a 
*a*rc i7(^^'*f S L/l^o ^ft<7) F P V'^^y >X i D E 
-etl^tiv FP ^:':7V^*^>;;^2 5 2 c (hD 
E>'^^^>;^2 5 2dtC>£*|£;-r^o BtPeli: ^ AX 30 

Mia?>f AX^?>'7'2 5 2 b^^-rci^^jW^l/t.^. 

[0058] Xf''>:7''306T?. ifbl^FP^i'::'V^^'^> 
XS/'cttDE>'>^'5'>x^. Fn*)/::?WJK2 5 2 eS/t^^: 
DE|?gS2 52 fOcS^Lrit^-rS^ DEIS]g*iS^^ 

ca:)^^'5>x^DE^^'^>;^oc*fur3iffl"r^c 

lK*J:blS-r^C<!:50WSU<. D E^^'^>X5^)^D EPIS 40 

»SL/l^o DE^^'5>:^3^?^^DE|®ffi^ffi^^«-^. CCD 
>X * F P ^'Vs^ ^ > X ^C3iffl*r ^ C S l> 

Xi^n 'Aii>x. ^S*rjx>^>», FP':':7"A'^>x<i: FP 

i)n^x2yyim<i:^^b$^>m^. DEiv-^Ur. >'^' 

FP^^^^'WK^ffi^/cit^. »Jx>iPM^. 
y F ^HPH^ciS^-r ^ C i ^'^S-r-S^ C Ul^o 
[0 059] *I^^C^^. ifl/lv%^'^>X*tf-»: 50 
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DEPgJKcb FP^^^t^miK^tb^L'r. 

2 0 0:&a'DE/^*^^ry F^^, iS^rcStiri^S C iT&^Jf ^ 
bi/=>o flfeC)W<tUr. >'^•^^:; F5CDE i-^-^^nrii 
-S^-^s FP':':7'>'S^^>x^Mif*r5Ci*WSbl.=»c 
'rrj:t>%. /^^y hliCDEt^-i^^nxie>?>t^. M 
d(0m2J^^y h2 0 2&^FP^>:7V>'^^:; F^^. mtc 
StlTC^-So C(DB#,'^.r\ DE^^^^^;; hUirX^cm^X 
l^So fi&<D^!l<hL/r. /"C-ir-y FOC FP^:^::''i^-e'Sn 

ri^^it. m:fj(o^'^^v hthcomf^.xm-^xi^^^ 

<DX. DE/'^^^X*) FPr7-7V\*'^>X*>MifStli& 
[006 0] :^y^yy'3 0 8X. m&(DJ^^ y FOC^tU 

xm-sfifcmmomm i oso^ffa-rs^o^^ocoi^rfl^-r 

-Sp ffUir^m^. y'U'^x^tiX'Tyy's 0 2iiCM^ 

[0 06 1 ] ::^'ryy'3 1 Ot?. ^IPJx>>?>:^s^ 
S4(DiHMx>>?>l 4 4&i\ iHMx>S?>(cSi 

mbxi.>$>^^^ y h^cmm'mmx$>?>m^xkt. »jx 

[0 06 2] :::<Tyy'3 1 2X. mm:^>l^>^t. i2g 

bxmMbfci)\ l^fciit \'nyy'v fcf)^cmr^W^^ 
^t^Ctf)iuSmx$>^o ><f^yy'3 14X. *i$ijx>s;? 

^^x^:hm^. mMbfw^^yYi^mm-^^^hn 

xx^^^mm^lf-^^t. mi^hfcVyy y ^^mkh 

X. x-f-y r7'3 1 er-BifsnSo 

[0 06 3 ] *I|fJr^--^-<--xrMffSnSf»*. DE 
>^^*■^>X. ^Uyy'^^'yyT.^ *5 i: ^? A X ^ > :7'CD 

l'Otfc»«^*-&tfC:<h3&5J^St.l^o DEz-^^^X 

DEFfilK<j:D/^3t^it'&^cMif^n^t:<h;^?^»$U 
l^o FP'^z-i^V^'-^^Xtt, DE/^'^>X;^?5DEPSSj:?) 
iK^<. Yviy :7Vn* ^ >x:;&5 F P y :7'RRjK J: D l^^S 
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[0 0 6 4] IV. fig^7'e.:;7"^>i^^m'5:7 0 

-mmMm 

T^mm^-mmwrn-Cit. (deferred) 

[ 0 0 6 5 ] H 9 (CS^-r J: ^(C. 7 ^ FMa^S4 

4 0 8 iSB# hmiJllil4 1 0 (cil«b, 
•i; F =&^%-^r -i, H?--i' Xff-#Sg4 0 4 Kaft-TS. 

Xtf-»^g4 0 4 mtl^''-^'^ y H?--/X>'>' 20 
•);:774 0 BKMftU. F^A^r-, h^-^v^rA 

1 2 (catt-r§„ — |g^i&ffi4 0 8 tm&^r'b^y F 

*i3aii^4 1 4icmm-?>o mmmmit. mmMm^ 

1 4w. lasitem^iistT'if vmrnkMA i occsi 

F■^^^'Xt«s*«ffl•rSo 
[0 06 6] V n--mMma.s M^c■l.-t^- t*xfp«* 
-S^iftoDtb '!t>mWfi. 2/ F c " i' cD^^ipi^ 30 

1 o$fc»^<D^«lt^i^ii:b«L/-r. < i ) ^Jtc 

L.-C/N--Jr-;; Y^^Wt^ : ( i i ) %.'^¥i^'C}^'T "j F 

: */c» ( i i i ) >^Tv V^mUt^s Kr>\.>X 
[0 06 7] jllS. y P -aK*MlJ*^». r F - > 
*g>&:^J«i*«-r. MS. ISi^ffltciftJfO-riiS-'-N'^^f 

iry FK F-i'>*3ilJn2tl€.o ''•5^^ Ft^-^Xf't'•3 
F^/MyTA^rv F^SjfceSnSI^JC. F*>e> F 

[0 06 8] h-i' lyf^T V F CDm^^^Jt-T-Sfc&tc 50 
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[0 0 6 9] TCa e w = TCo i d +C-D 

TC. . . =«fL(,^ F-i'>*'^?>F 
TCo . d =*l^F-i'>:^'i?>F 

D = i?->fXf'lf F 

[0 07 0] F-^'>-'^''^^2' Ft#iM^©l-3©-{>X$ 

fm%^ik'm(Di-cmmmt s i §• . Tfetf^'-J^^ f jcm-t 
f Fc^iisnUv 3saE©^^•■&•y F©1^-fx%sl^i^^■cl* 

?,t^-fXf=fcf>;; FD*-«»-rsciicJ:oT. 7a-© 
«Wil§*t4c^!=f-r^ffL'l-^F-4'>*-?>FTC. . . 

=few-»-r-2>. 'Xx.^'Q. yvL-cm^^^m^nt^mx^ 
»-ifp(c^bi,^^. 3l^E©^^•^7• », F -^mmmn 

[0 07 1 ] F-^'>^^•^r^r F«^©2-o©^>X^r 

er-^ Ffc*DfJK^^F-i'>A^5' F*. 7n"{C^ 

#t,>:^)>$?c«-t2P{C^Ol>*5. ifL't^J«*F-4'>;<;'? 
>FTC„ , „ - d ;*s■^z'^J:D/^$0^^1^. 3l^5E©^^•^ 

rtfc«).5©-e) jps^sns. ^©j;^ift3 r2S 
F -5^ F J m^Mt.. TA Single 
Rate Three C o 1 o rMa r k e r J il,^ 
b^WDl'&'YY Request for Co mm 
ent 2 6 9 7llCfatfe^tir(,^S„ 
[007 2] 31S^^©^S-5r >;» F3^P> F P-^t?. 
F"5'>^N*^r y Ft^eSiSi^afflLr. ^jlf--d?7P- 

**iiij-r-&citt. sift©^-?^-? F©-y--YX^S 
ft^UTl^Stf-fX^tf?; FD*i5#U^©^^*ll^* 

tf^il^^^^JcML'-C. ^ffl±©llit{CitBb-Ct> 
:fc„ ^a©/S^-:/ FOf-'TXl*. ^IMI&ffi©^1• 

Ftcssf-rs-y-'fx-^fcf-^ FD». *iw^s*stft>n 

j?4S©.S'-e«. >'^•^r.y F©]^iBg^|g!aLfet,^-5Itgtt 
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fc' v h DCD^?|# (deduct ion) tt. ^K.M<D 
[0 07 3] — ^fiCD^-A'^r hiCMT^^-^ 

[0074] ^mm<Dc<D^mmx'it. mm^f'tf-:, 
^affl L-c^a-T'- a y a -*aw-r s c i (cw-r ■5± 
[ 0 0 7 5 ] «^ . iimm-^m^mm-r?, c i *s 20 

?£«fl:-a-r03 Ci* 
[0 07 6] § 6fC. 7"-^«ftIJ^rffi». 02>'^•^•;' h 30 

-i? > h ^ara Lr02 v v Knr^fmi^^'k 
[0 07 7] Sfc. ffi©7^-*miJ7^S^ffi«-5-S£: i 

■r-5 h*0l h-i'>*'i;>hK:iiaib 

T02 f--i'>*'t?> : 02 h---t'>:^'^ 

03 h-*'>*'i7>h^:^a-rS. S/c»02h-i'> 

[0 07 8 ] C<Df- ^mm-^-ii-Cit, 'J>rj:<. thl-O 

©fi©ai#^*-rsst)^it-c*imm*ififflbr. 

[0 07 9] moyy'-^M^Wmt^-^^y h^^imt 
S : mmi'l'i^y h--i'>*'i'> h©^ti-eti{cii 50 
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1. Title of Invention 

PACKET PROCESSOR WITH MULTI-LBVEL POLICING LOGIC 

2 . Claims 

1. A packet switching controller comprising: 
an input for receiving a packet; 

a policing element for classifying the packet. into a 
plurality of policeable groups, 

wherein the packet .Is compared against one or. more 
bandwidth contracts defined for the policeable groups to produce 
one or more policing results. 

.2. The packet swicching controller of claim 1 wherein the 

policing element includes a policing database, a first 
policeable group identifier is applied to the policing database 
to retrieve first policing data and a second policeable group 
identifier^ the first policing data is applied to produce a 
first policing result, the second policeable group identifier 
is applied to the policing database to retrieve second policing 
data, and the second policing data is applied to produce a 
second policing result. 

3 . f he packet switching controller of claim 1 further 
comprising a disposition engine for making a disposition 
decision for the packet, wherein the policing results include 
one or more disposition recommendations r and the disposition 
engine uses the policing results and at. least one other 
disposition recommendation to make the disposition decision ^or 
the packet. 

4. The packet switching controller of claimi 1 wherein 
the policing results are combined into a single result by taking 
a wor©t case policing result • 

A method of processing a packet . using a policing 
element, the method comprising the steps of: 
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receiving the packet; 

classifying the packet into a plurality of policeable 
groups; and 

comparing the packet against one or more bandwidth 
contracts defined for the policeable groups to produce one or 
more policing results. 

6. The method of processing a packet of claim 5 wherein 
the policing element includes a policing database/ and the 
method further comprises the steps ofr 

applying a first policeable group identifier tio the 
policing database to retrieve first policing data and a second 
policeable group Identifier; 

producing a first policing result using the first 
policing data; 

applying the second policeable group identifier to the 
policing database to retrieve second policing data; and 

producing a second policing result using the second 
policing data. 

7, The method of processing a packet of claim 5 wherein 
the policing results include one or more disposition 
recommendations, and the method further comprises the step of 
making a disposition decision for the packer .using the policing 
results and at least one other disposition recommendation. 

8. The method of processing a packet of claim 5 further 
comprising the step of combining the policing results into a 
single result by taking a worst case policing result. 

9, A method for policing a data packet received by a 
data communication switch, the method comprising; 

classifying the data packet into a plurality of 
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policeable groups; 

identifying policing data associated with one or more 
policeable groups ; 

applying the policing data to produce one or more 
policing results for the policeable groups/ and 

recommending a disposition of the data packet from the 
policing results. 



10- The method of claim 0 wherein a particular policeable 
group identifies a type of application to be policed. 

11, The method of claim 9 wherein .th« policing data 
includes information on bandwidth constraints specified for at 
least one policeable group. 

12 » The method of claim 9 wherein the policing results 
indicate whether the data packet is to be forwarded. 

13, The method of claim 9 wherein tha policing zrosuits 
indicate whether the data packet is eligible to be dropped. 

14. The method of claim 9 wherein the policing results 
indicate whether the data packet is to be dropped. 



15* The method of claim 3 wherein the step of recommending 
a disposition comprises the .step of combining the policing 
results to make a recommendation. 

16- The method of claim 9 wherein the step of recommending 
a disposition comprises selecting one of the policing results 
as the recoramendftd disposition. 



17. The method of claim 9 further comprising the step of 
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updating the policing data based oh the recommended disposition. 

18, A method for policing a data packet received by a data 
conununication switch, the method comprising the steps of: 

creating a policing database including a plurality of 
policing data entries specifying policing data for a plurality 
of policeable groups; 

applying a first identifier for retrieving a first 
policing data associated with a first policeable group and a 
second identifier identifying a second policeable group; 

applying the first policing data to produce a first: 
policing result f 

spplyiTug the second identifier for retrieving a second 
policing data; 

applying the second policing data to produce a second 
policing result; and 

recommending a. diapo;sition or the data packet from the 
first and second policing results, 

19 • The method of claim 18 wherein a particular policeable 
group identifies a type of application to be policed. 

20. The method of claim IB wherein the policing data 
includes inforitiation on bandwidth constraints specified for the 
policeable group. 

21. The method of claim 18 wherein the policing results 
indicate whether the data packet is to be forwarded. 

22. The method of claim IB Wherein the policing results 
indicate whether the data packet is oiigible to be dropped. 

23. The method of claim 18 wherein the policing results 
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indicate whether the data packet is to be dropped, 

24. The method of claim 18 wherein the step of 
recommending a disposition comprises the step of coinbihing the 
first and second policing results to malce a recommendation. 

25. The method of claim 18 wherein the step of 
recommending a disposition turther comprises selecting either 
the first or second policing result as the recommended 
disposition. 

26. The method of claim 18 further comprising the step of 
updating the first or second policing data based on the 
recommended disposition. 

27. A policing engine fox a data communication node, 
wherein the policing engine classifies a packet into a plurality 
of policeable groups, .and wherein the packet is compared for the 
respective ones. of the policeable groups against respective ones 
of bandwidth contracts to produce respective ones of policing 
results. 

28. A policing engine for a data communication node,, 
wherein a first policeable group identifier is applied to a 
policing database to retrieve first policing data and a second 
policeable group identifier, wherein the first policing data is 
applied to produce a first policing result, and the second 
policeable group identifier is applied to the policing database 
to retrieve .second policing data, wherein the second policing 
data is applied to produce a second policing result. 

29* A packet processor comprising: 

an input for receiving a packet; 
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policing means for classifying the packet into a 
plurality of policeable groups, 

wherein the packet is compared against one or .more 
bandwidth contracts defined for the policeable groups to produce 
one or more policing results. 

30. The packet processor of claim 29 wherein the policing 
means include a policing database, a first policeable group 
identifier is applied to the policing database to retrieve first 
policing data and a second policeable group identifier, the 
first policing data is applied to produce a first policing 
result, the second policeable group identifier is applied to the 
policing database to retrieve second policing data, and the 
second policing data is applied to produce a second policing 
result * 

31. packet processor of claim 29 further coiftprising 
a disposition means for making a disposition decision for the 
packet, wherein the policing results include one or more 
disposition recommendations, and the disposition means use the 
policing results and at least one other disposition 
reconimendation to make the disposition decision for the packet. 

32. The packet processor of claim 29 whsrain the policing 
results are combined into a single result by taking a worst case 
policing result. 

33. The packet switching controller of claim 1, the 
packet switching controller further comprising a debiting 
element # wherein at least on© bandwidth contract has an 
associated token bucket to represent available bandwidth under 
said bandwidth contract, and the debiting element determines, 
using the policing results, whether . or not to debit the 
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associated token bucket. 

34. The packet switching controller ot claim 3, the 
packet switching controller further comprising a debiting 
element^ wherein at least one bandwidth contract has an 
associated token bucket to represent available bandwidth under 
said bandwidth contract , and the debiting element defers 
debiting the associated token bucket with the packet size until 
the disposition engine provides the disposition decision to the 
debiting oloment to b© used for determining whether or not to 
debit the associated token bucket. 

35, The method of processing a packet of claim 5, wherein 
at least one bandwidth contract has an associated token bucket 
to represent: available bandwidth under said bandwidth contract, 
and wherein the method further coimpcises determining, using the 
policing results, whether or not to debit the associated roken 
bucket . 

36- The method of processing a packet of claim 1, wherein 
at least one bandwidth contract has an associated token bucket 
to represent available bandwidth under said bandwidth contract, 
and wherein the method further comprises determining, using the 
disposition decision, whether or not to debit the associated 
token bucket with the packet size. 

37. The method fox policing a data packet of claim 11, 
further comprising the steps of: 

generating a disposition decision for the data packet 
using the disposition rooommendation from the policing results 
and at least one other disposition recommendation; and 

determining whether or not to update the information 
on bandwidth constraints using the disposition decision. 
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38. The inetnocJ for policing a data packet of claim 20, 
further comprising tho steps of: 

generating a disposition decision for the data packet 
\ising the disposition recoinmendation from the first and second 
policing results and at least one other disposition 
recornmendation; and 

determining whether or not to update the information 
on bandwidth constraints using the disposition decision. 

39. The policing engine of claim 27, whorein whether or 
not bandwidth available under .the bandwidth contracts are 
updated is determined based on the policing results. 

40. The packet processor of claim 31 * the packet 
proceaaor further comprising debiting means, wherein at. least 
one bandwidth contract has an aeeoclated token bucket to 
represent available bandwidth under said bandwidth contract, and 
the debiting means defers debiting the associated token bucket 
with the packet size until the disposition means provides the 
disposition decision to the debiting means to be used for 
determining whecher or not to debit the associated token bucket. 

41. A data policing method, the method comprising the 
steps of: 

receiving a packet; 

adding a time credit to a first token count to 
generate a second token count; 

applying the second token count to generate a 
policing result for the packet; 

applying the policing result to determine whether to 
subtract a size debit from the second token count to generate 
a third token count or not; and 
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subtracting the size debit from the second token 
count to generate a rhird token count if such subtraction has 
been determined through applying the policing result. 

42* The data policing method of claim 41, the method 
further comprising the steps of: 

receiving a second packet; 

adding a second time credit to the second token count 
to generate a fourth token count if the third token count has 
not been generated; 

adding a second time credit to the third token count 
to generate the fourth token count if the third token count has 
been generated; and 

applying the fourth token count to generate a policing 
result for the second packet- 

43- A data policing mat hod, the method compriaing the 
steps of: 

receiving a packets- 
adding a time credit to a first token count to 

generate a second token count; 

applying the second .token count to generate a policing 

result for the packet; 

applying the policing rasrult to generate a dispoaition 

result for the packet; 

applying the disposition result to determine whether 

to subtract a size debit from the second token count to generate 

a third token count or not; and 

subtracting the size debit from the second token count 

to generate the third token count if such subtraction has been 

determined through applying the disposition result. 

44, The data policing method of claim 43, wherein the 
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policing result is applied as a recommendation with at least one 
other recommendation to generate the disposition result - 

45. A data policing method, the method comprising the 
steps of: 

receiving a packet; 

adding a time credit . to ones of token counts to 
generate respective ones of second token counts; 

applying the ones of second token counts to generate 
a policing result for the packet; 

applying the policing result to determine whether to 
subtract size, debit from at least one of the second token counts 
to generate at least one third token count or not; and 

subtracting the size debit from at least one of the 
second token counts to generate at least one third token count 
If auch subtraction has been determined through applying the 
policing result. 

4S. h data policing method, the method comprising the 
steps of: 

receiving a packet; 

adding a time credit to ones of token counts to 
generate respective ones of second token counts; 

applying the ones o£ second tokan count3 to generate 
a policing result for the packet; 

applying the policing result to generate a disposition 
result for the packet; 

applying the disposition result to determine whether 
to subtract or not a size debit from at least one of the second 
token counts no generate at least one third noKen count; and 

subtracting the size debit from at laast one of the 
second token counts to generate at least one third token count 
if such subtraction has been determined through applying the 



disposition result. 
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3. Detailed Description of Invention 

cross-reference to related application (S) 

The present application claims the priority of U.S, 
Provisional Application No, 60/206,6X7 entitled ''Sy&t^m and 
Method for Enhanced Line Cards'' filed May 24, 2000. U.S. 
Provisional Application No, 60/206,996 entitled "'Flow Resolution 
Logic System and Method" filed May 24, 2000 and U.S. Provisional 
Application No- €0/220,335 entitled Programmable Packet 
Processor" filed July 24, 2000, the contents of all of which are 
fully incorporated by refexence heroin • The present application 
contains subject matter related to the subject matter disclosed 
in U.S. Patent Application No. 09/751,194 entitled ^^Programmable 
Packet Processor with Flow Resolution Logic" filed December 2B, 
2000 r the contents of which are fully incorporated by reference 
herein. 

FIELD or THE INVENTION 

This invention relates generally to data communication 
switches, and more particularly to a data communication switch 
employing multiple levels of rate policing on a data packet. 

BACKGROUND OF THE INVENTION 

Rate policing is increasingly becoming important in data 
communication networkjs as customers ontitled to different 
qualities of service (QoS> compete for the available bandwidth 
of a common set of network resources. Rate policing is 
typically accomplished at each switch by classifying each packet 
into a single policy group and comparing the classified packet 
against one or. more bandwidth contracts defined for the group. 
Based on the identified bandwidth contract:, the packet may be 
forwarded, be forwarded with a discard eligible marking, or be 
discarded. 
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Existing rate policing methods typically police data 
traffic on a per-port basis with no regard to other information 
about the traffic. Data exceeding the rate subscribed by the 
customer is typically marked to be dropped if congestion occurs. 
Thus, a customer typically has no flexibility to selectively 
drop certain data based on the data type, such as based on the 
particular application associated with the data. 

With the increasing desire to tailor communication 
networks to the individualized needs of customers, it is 
desirable to provide policing logic that has increased 
flexibility, but whose implementation is not so complex ad to 
substantially reduce line speed. 

SUMbiARy OF THE INVBNTIOI^l 

la one embodiment of the present invention, a packet 
switching controller is provided. The packet switching 
controller includes an input for receiving a packer and a 
policing element for . classifying the packet into a plurality of 
policeable groups. The packet is coir^ared against one or more 
bandwidth contracts defined for the policeable groups to produce 
one or more policing results. 

In another embodiment of the present invention, a method 
of processing a packet is provided. A packet is received and 
classified into a plurality of policeable groups- The packet 
is compared against one or more bandwidth contracts defined for 
the policeable groups to produce one or more policing results. 

In yet another embodiment of the present invention, a 
method for policing a data packet received by a data 
communication switch is provided. The data packet is classified 
inro a plurality of policeable groups. Then, policing data 
associated with one or more policeable crroupe: ie identified. 
The policing data is applied to produce one or more policing 
results for the policeable groups r and a disposition of the data 



(35) 



#11 2 0 0 2 - 4 4 1 5 0 



packet is recommended from the policing results. 

In 3 till another embodiment of the present invention, a 
method for policing a dara packet received by the data 
communication s^^itch is provided, A policing database including 
a plurality of policing data entries specifying policing data 
for a plurality of policcable groups is created. A first 
identifier is applied for retrieving a first policing data 
associated with a first policeable group and a second identifier 
identifying a second policeable group. Then, the first policing 
data ie applied to produce a first policing result:. Further r 
the second identifier is applied for retrieving a second 
policing data. Then, the second policing data ie applied to 
produce a second policing result. A disposition of the data 
packet is recommended from the first and second policing 
results. 

In a further embodiment of the present invention, a 
policing engine for a data ccawnanication node is provided. The 
policing engine classifies a packet into a plurality of 
policeable groups. The packet is compared for the respective 
ones of the policeable groups against respective ones of 
bandwidth contracts to produce respective ones of policing 
results . 

In a still further embodiment of the present invention, a 
policing engine £ar a data communication node is provided. A 
first policeable group identifier is applied to a policincj 
database to retrieve first policing data and a second policeable 
group identifier. The first policing data is applied to produce 
a first policing result, and the second policeable group 
identifier is applied ro the policing database to retrieve 
second policing data. The second policing data is applied to 
produce a second policing result. 

In a yet further embodiment of the present inventioni a 
packet pfocessor is provided. The packet processor includes an 
input for receiving a packet and policing means for classifying 
the packet into a plurality of policeable groups- The packet 
is compared against one or more bandwidth contracts defined for 
the policeable groups to produce one. or more policing results. 
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I . Overview 

In FIG. 1, network en-vironment incLviding a packet 
switching node 10 is illustrated. The packet switching node may 
also be referred zo as a switcn, a data communication node ox 
a data conununication switch. The packet switching node 10 
includes switching interfaces 14, 16 and 18 Interconnected to 
respective groups of LANs 30, 32 ^ 34, and interconnected to one 
another over data paths 20, 22, 24 via switching backplane 12. 
The switching backplane 12 preferably includes switching fabric. 
The switching interfaces may also be coupled to one another over 
control paths 26 and 28 • 

The switching inter faoee 14, 16, 18 preferably forward 
packets to and from their respective groups of XJiNs 30, 32, 34 
in accordance with one or more operative communication 
protocols, such as, for example, media access control {MAC} 
bridging and Internet Protocol (IP) routing. The switching node 
10 is shown for illustrative- purposes only* In practice, packet 
switching nodes may include more or less than cbree switching 
interfaces. 

FIG. 2 is a block diagram of a switching interface SO in 
one embodiment of the present invention. The switching 
interface 50 may be similar, for example, to the switching 
interfaces 14, 16, 18 of FIG. 1. The switching interface 50 
includes an access controller 54 coupled between LANs and a 
packet switching controller 52. The acce:55 controller 54, Which 
may, for example, include a media access controller (MAC) , 
preferably receives inbound packets off LAWs, performs flow- 
independent physical and MAC layer operations on the inbound 
packets and transmits the inbound packets to the packet 
switching controller 52 for flow-dependent processing. The 
access controller 54 preferably also receives outbound packets 
from the packet switching contr<^ller 52 and transmits the 
packets on LAWs. The access controller 54 . may also perform 
physical and MAC layer operations on the outbound packets prior 
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to transmitting them on LANs. 

Ttie packet switching controiier 52 preferably is 
programmable for handling packers having wide variety of 
coiwnunications protocols. The packet switching controller 52 
preferably receives inbound packets, classifies the packets, 
modifies the packets in accordance with flow information and 
transmits the modified packets on switching backplane, such as 
the switching backplane 12 of FIG. 1. The packet switching 
controller 52 preferably also receives packets modified by other 
packet switching controllers via the switching backplane and 
transmits them to the access controller B4 for forwarding on 
LANs. The packet switching controller 52 may also subject 
selected ones of the packets to egress processing prior to 
transmitting them to the access controller 54 for forwarding on 
LANs. 

PIG. 3 is a block diagram of a programmable packet switching 
controller 100 in on© embodixnettt of the present invention. The 
programmable packet switching controller 100, for example, may 
be similar to the packet switching controller 52 of 2. The 

programmable packet switching controller 100 preferably has flow 
reisolution Logic for classifying and rotating incoming flows of 
packets. Due to its programmable nature r the programmable packet 
switching controller preferably provides flexibility in handling 
many different protocols and/or field upgradeatoillty . The 
programmable packet switching controller may also be referred to 
as a packet switching controller i a switching controller, a 
programmable packet processor, a network processor^ a 
communications processor or as another designation commonly used 
by those skilled in the art. 

programmable packet switching controller 100 includes 
a packet buffer 102, a packet classification engine 104^ an 
application engine .106 and a policing engine 120- The policing 
engine may also be referred to as a policing element. Packet 
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switching controllers in other embodiments may include more or 
less components. For examplSr a packet switching controller in 
another embodiment may include a pattern match module for 
comparing packet portions against a predetermined pattern to look 
for a match. The packet switching controller in yet anDfcher 
embodiment may include an edit module for editing inbound packets 
to generate outbound packets. 

The programmable packet switching controller 100 preferably 
receives inbound packetjs 108. The packets may include, but are 
not limited to, Ethernet frames, ATM cells, TCP/IP and/or UDP/IP 
packets, and may also include othsr Layor 2 (Data Link/KAC 
Layer) , Layer 3 (Network Layer) or Layer 4 (Transport Layer) data 
units. For example, the packet buffer 102 may receive inbound 
packets from one or more Wedia Access Control <MAC) Layer 
interfaces over the Ethernet - 

The received packets preferably are stored in the packet 
buffer 102. The psck«»t buffer 102 may include a packet FIFO for 
receiving and temporarily storing the packets. The packet buffer 
102 preferably provides the stored packets or portions thereof 
to the packet classification engine 104 and the application 
engine 106 for processing. 

The packet buffer 102 may also include, an edit module for 
editing the packets prior to forwarding them out of the switching 
controller as outbound packets 118. The edit module may include 
an edit program construction engine for creating edit programs 
real-time and/or an edit engine for modifying the packets. The 
application engine 106 preferably provides application data 116, 
which may include a disposition decision for the packet, to the 
packet buffer 102, and the edit program construction ..engine 
preferably uses the application data to create the edit programs. 
The outbound packets 118 may be transmitted over a switching 
fabric interface to communication networks, such as, for example, 
the Ethernet. 
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The packet buffer 102 may also include either or both a 
header data extractor and a header data cache. The header data 
extractor preferably is us^d to extract one or mora fields txom 
the packets, and to store the extracted fields in the header data 
cache as extracted header data. The extracted header data may 
include, but are not limited .to, some or all of the packet 
header. In an Ethernet system, for example, the header data 
cache may also store first K bytes of each frame. 

The extracted header data preferably is provided in an 
output signal IID to tha packet classif icati«=in engine 104 for 
processing. The application engine may also request and roeeivo 
the extracted header data over an interface 114. The extracted 
header data may include^ but are not limited to^ one or more of 
Layer 2 MkC addresses, 802.1P/Q tag status^ Layer 2 encapsulation 
type^ I»ayer 3 protocol type, layer 3 addresses, ToS (type of 
service) values and Layer 4 port numbers, in other embodiments, 
the output signal 110 may include the whole inbound packet, 
instead of or in addition to the extracted header data, la still 
other embodiments r the packet classification engine 104 may be 
used to edit the extracted header data to be placed in a format 
suitable for use by the application engine, and /or to load data 
into .the header dana cache. 

The packet classification engine 104 preferably includes a 
programmable microcode-driven embedd&d processing engine. The 
packet classification engine 104 preferably is coupled to an 
instruction RAM (IRAM) (not shown) ► The packet classification 
engine preferably reads and executes instructions stored' in the 
IRAM. In one embodiment, many of the instructions executed by 
the packet classification engine are conditional jumps. In this 
embodiment, the classification logic includes a decision rree 
with leaves at the end points that preferably indicate different 
types of packet classifications. Further, branches of the 
decision tree preferably are selected based on comparisons 
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between the conditions of the instructions and the header fields 
stored in the header data cache, In other embodiments, the 
classification logic may. not be based on a decision tree. 

In one embodiment of the present invention, the application 
engine 106 preferably has a pipelined architecture wherein 
multiple programmable sub-engines are pipelined in series. Each 
programmable sub-engine preferably performs an action on the 
packet, and preferably forwards the packet to the next 
programmable aub-engine in a ^^bucket brigade" fashion. The 
packet classification engine preferably stisrts the pipelined 
packet processing by starting the first programmable eab-engin© 
in the application engine using a start signal 112, The start 
signal 112 may include identification of one or more programs to 
be executed in the application engine 106. The start signal 112 
may also include packet classification information. The 
programmable sub-engines in the application engine preferably 
have direct access to the hoader data and the extracted tlelds 
stored in the header data cache over the interface 114, 

The application engine may include other processing stages 
not performed by the programmable sub-engines, hov/ever, the 
decision-making stages preferably are performed by the 
programmable sub-engines to increase flexibility. In other 
embodiments, the application engine may include other processing 
architectures * 

The disposition decision included in the application data 
116 preferably is also provided to the policing engine 120. The 
policing engine 120 preferably also receive© one or more policing 
IDS 124. The policing engine 120 preferably uses the disposition 
decision and the policing IDs to generate one or more policing 
recommendations 122- Th© policing recommendations may be a type 
of disposition recommendation , and may also b« referred to as 
policing results. The policing recommendations* preferably -are 
provided to the application engine 106 to be used together with 
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other disposition recommendations to generate application data, 
wnich may include the disposition decision, 

II. Pxogramniabie Disposition Logic 

FIG- 4 is a block diagram of a packet switching controller 
130 with programmable disposition logic. The packet switching 
controller 130 may be similar, for example, to the packet 
switching controller 100 of PIG. 3. The packet switching 
controller includes a packet buffer 132, a packet classification 
engine 134, a pattern match lookup logic 136, an application 
engine 138 and a policing engine 166- 

The application engine includes a source lookup engine 
140, a destination lookup engine 142 and a disposition engine 
144. The packet classification engine^ the source lookup 
engine, the destination lookup engine and the disposition engine 
preferably are prograwmable with one or more application 
programs. Xn othor words, each of the packer class! tication 
engine and the sub-engines of the application engine preferably 
includes a programmable microcode-driven embedded processing 
engine. In other embodiments, one or more of these engines may 
be iffiplementBd in hardware, i.e,, as hardwired logic. The 
policing engine 166 may be implemented in hardwired logic or in 
programmable microcode-^driven embedded processing engine. 

The packet buffer 132 preferably receives and stores 
inbound packets 146. The packet buffer preferably providea the 
inbound packets or portions thereof 148 to the packet 
classification engine 134, The packet classification engine 
preferably classifies the packets using its application programs 
programmed rhereon, and preferably provides a program 
identification 152 to the applicarion engine 138- More 
particularly, the program identif icatilon 152 preferably is 
provided to the source lookup engine 140, the destination lookup 
engine 142 and the disposition engine 144 in the application 
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engine. In one embodiment of the present invention/ the packet 
classification engine 134 Includes a decision tree-based 
classification logic; 

The program identification 152 preferably is used to 
select application programs to be executed in each of the source 
lookup engine, the destination lookup engine and the disposition 
engine. The application programs to be executed in the source 
lookup engine r the destination lookup engine and the disposition 
engine preferably are selected based at least partly on packet 
classification information. The packet classification 

information may also be provided together with the program 
identification . 

The. packet buffer preferably also provides the inbound 
packets or portions thereof . 150 to the pattern match .lookup 
logic 136. The pattern match lookup logic preferably includes 
a predefined pattern against which the packets or the packet 
portions are eoii^arad. For example, the packet portions used 
for pattern matching may include portions of packet header data, 
packet payload data, or both the packet .header data and the 
packet payload data. In other embodiments, the predefined 
pattern may reside in an external memory, which is accessed by 
the patrem match lookup logic for pattern matching. In still 
other embodiments, the match pattern may change during the 
operation, of the packet switching controller. 

After a comparison is made, a result 154 of tho compariaon 
preferably is provided to the application engine 138. More 
particularly, the result 154 of the comparison preferably is 
provided to the disposition engine 144 in the application 
engine. In some embodiments, the result may be provided to the 
disposition angina only when there Is a match. 

The source Lookup engine 140 preferably generates a 
disposition recommendation 160 for an inbound packet at least 
partly by performing a source address lookup using a source 
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address of the inbound packet • The disposition recorarRendation 
160 preferably also depends on the application program executed 
in the source lookup engine 14 0 in accordance with the program 
identification pcovided by the packet classification engine. 
The disposition recommendation 160 preferably includds a 
security recommendation for th© inbound packet. 

In other embodiments, the source lookup engine 140 may be 
used to build one or more keys, which may then be used to look 
up the source address {e.g., IPSA) of the inbound packet in an 
address table- The keys may include, but are not limited to, 
one or more of Virtual LAN Identification (VIAN ID) , application 
identification (APP ID) and IPSA, One or more keys built by the 
source lookup engine 140 may also be used to formulate a 
disposition recommendation/ such as, for example, the security 
xrecommendatlon . 

The destination lookup engine 142 preferably receives an 
output 156 from the source lookup engine 140. The output 156 may 
include the key used to look up the source address and/or the 
result of the lookup. The destination. lookup engine preferably 
executes its application program identified by the packet 
classification engine 134 and generates one or more police 
identifiers <IDs) 168. The police IDs 1S8 may be based at least 
partly on destination address lookup using a destination address 
of the inbound packet - 

The. policing engine 166 preferably uses th© police IDa 168 
as keys to access policing data in a policing data table. The 
policing engine 166 preferably uses the accessed policing data 
to generate one or more policing recommendations 170, The 
policing recommendations preferably are used by the disposition 
engine along with other diaposition recommendations to generate 
application data, which may include the disposition decision - 
When the pattern match lookup logic 136 finds a match, the 
pattern match result 154 preferably overrides the policing 
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reCQxnmendatioTis » The policing xe commend at ions preferably are 
used zo generate a single recommendation by selecting the worst 
case policing re commendation. The policing engine may also 
perform accounting [functions. 

In other embodiments, the destination lookup engine 142 
may be used to build one or more Iceys^ which may then be used 
to look up the destination. address (e.g., IPDA) of the inbound 
packet in an address table. The keys may include, but are not 
limited to^ one or more of Virtual .LAlil Identification (VXiAN ID) , 
application idontlfi cation lAPP ID) and IPDA, 

The disposition engine 144 preferably receives a number of 
disposition reconuaendations including, but not limited to, tha 
security recommendation in the disposition recommendation 160, 
the policing recommendation 170, and the pattern match result 
154. The disposition engine preferably generates a disposition 
decision 162 based on the disposition recozwnendations as well 
as the packet classification and/or program idennitlcation. The 
disposition decision 162 may include one of the disposition 
recommendations. In general, the pattern .match result 1S4 may 
override the policing recommendation 170, and the policing 
recommendation may override the security recommendation in the 
disposition recommendation 160. The disposition decision 162 
may be a part of application data, which may include, but is not 
limited to, one or more of accounting data, .roui:ing data and 
policing data. 

The disposition decision preferably is provided to the 
packet buffer to be used for editing the inbound packets to be 
provided as outbound packets 164. The disposition decision 
preferably is also fed back to the policing engine for policing 
and accounting. For enample, when the inbound packet is 
dropped, the policina engine should be made aware of that: facx. 
In other embodiments, the destination lookup engine may include 
the policing engine. In such cases, the disposition decision 
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preferably Is provided to the destination lookup engine for 
policing and accounting - 

FIG. 5 is a flow diagram of a process of programmatically 
generating a disposition decision using multiple disposition 
recoromendations and classification information. In step 180, 
a packet buffer, such as, for exaicqole, the packet buffer 132 of 
riG. 4, preferably receives an inbound packet. In the packet 
buffer, packet header data may be extracted and stored in a 
header data cache. 

The inbound packet or a portion of the inbound packet, 
which may iisclude the header data, preferably is provided to a 
pattern match lookup logic, such as, for example, the pattern 
match lookup logic 136 of FIG. ^, In step 182, the pattern 
match lookup logic preferably performs a pattern match lookup 
between the inbound packet or the portion of the inbound packet 
and a predetermined pattern to generate a pattern match 
recoimnandatlon as indicated in step 18B. The predetermined 
pattern, for example, may be contained in an internal or 
external memory. In other embodiments, the match pattern may 
change dynamically. 

Meanwhile, the inbound packet or a portion thereof 
preferably is also provided to a packet classification engine, 
such as, for example, the packet classification engine 134 of 
FIG. 4. In stsp 184, the packet claisslf icacion engine 
preferably classifies the packet and preferably identifies 
application .programs based on the packet classification. In 
step 1B6, the program identification preferably is provided to 
a source lookup engine, a destination lookup engine and a 
disposition engine in an application engine, such as, for 
example, tho application engine 138 of FIG. 4. The program 
identification preferably indicates application programs to be 
executed in these sub-engines. The packet classification 
information preferably is also provided to the source lookup 
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engine, the destination lookup engine and the disposition 
engine. The source lookup engine preferably generates a 
eacurity are commendation in step 150, while the policing engine 
preferably generates a policing recommendation in step 192 using 
police IDs from the destination lookup engine. 

In step 194, the pattern match tecoifimendationr the security 
recomendation and the policing reconimendation preferably are 
provided to the dispositrion engine. The disposition engine 
preferably generates a disposition decision using one or more of 
tho s#l«»cted application program and t.he disposition 
recommendations. The disposition decision preferably io provided 
to the packet buffer to be used for editing and transmission of 
the inbound packet as an outbound packet in step 196. In step 
199, the disposition decision preferably is also fed back to the 
policing engine for operations such as, for eKample, policing and 
accounting » 

III, Hulti-Level Policing 

In one embodiment of the present invention, the policing 
engine preferably employs multi-level policing logic for 
policing the traffic flowing through the packet switching 
controller based on multiple policy groups, A customer 
preferably specifies the applicable policy groups and bandwidths 
applicable to those groups in har bandwidth contract. In an 
exemplary scenario, the customer may specify in hea; bandwidth 
contract that she will pay for 1 Gbps of data traffic on a 
particular port. The customer may further assign different data 
flow limits to the subnets in her company. For example, the 
customer may limit the engineering subnet to 300 Mbps and the 
accounting subnet to 100 Mbps. Furthermore, the customer may 
specify that web traffic is to be limited to 200 Mbpa for the 
entire company. Thus, instead of policing the traffic solely 
on a per-port basis with no regard to the type of traffic, web 
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traffic and traffic originating from the engineering or 
accounting subnets may be identified and policed based on their 
ceapective thresholds. 

Further, a bandwidth contract between service provider and 
customer may also determine QoS actions. The QoS actions 
preferably identify QoS applicable to the traffic meeting the 
flow conditions ♦ The QoS actions may indicate a maximum 
bandwidth, minimum bandwidth, peak bandwidth, priority, latency, 
jitter, maximum queue depth, maximum queue buffers, and the 
like. 

The bandwidth policing function preferably controls the 
ingress data rate on a per-flow bases as part of a general 
solution to limit, e.g., police, and shape traffic flows. FIG, 
G is a block diagram illustrating policing of different flows. 
The policing parameters preferably are established by defining 
a Committed Information Rate (CIR) in units of bytes per time 
along with a Committed Burst Size (CBS) and Excess Burst Size 
(EBS) both in units of bytes. The packets preferably are 
classified, i.e,, marked, into a first bucket (Drop Eligible 
(DE) bucket) 200 and a second bucket (Drop bucket) 202. 

As packets are presented at a given ingress rate, they 
preferably are marked according to a current balance within each 
bucket and its relationship to the CBS and E3BS. I'he first 
bucket preferably maintains a Discard Eligible (DS) balance. 
The second bucket preferably maintainsr a Drop balance. If the 
ingress rate is less than the CBS, the packets preferably are 
marked as Forward. If the ingress rate is greater than or equal 
to the CBS but below the EBS, packets preferably are marked as 
DE- If the ingress rate is greater than or equal to the EBS, 
packets profQrably are marked as Drop. 

FIG. 7 is a policing data table 250 used for policing data 
packets based on multiple policy levels in one embodiment of the 
present invention • The policing data table 250 may be stored 
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In a policing engine, which may be similar to the policing 
engine 166 of FIG. 4. The policing data table 250 may also be 
referred to as a policing database. 

The policing data table 250 includes policing data for 
performing checks of the current rate of traffic flowing through 
a packet switching controller, such. as, for example, the packet 
switching controller 130 of FIG, A, The policing data table 250 
may be arranged in a variety of ways, but preferably is 
configured as sequential entries, with each entry providing 
policing data 2S2 that is aesociated ..with a particular policy 
group. Bach policing data 252 preferably is identified by a 
unique police identifier (ID) /key 254. 

The police ID 254 preferably identifies different policy 
groups to which the packet may be classified. Preferably, each 
police ID 254 is composed .Of a customer identifier 254a and/or 
an application identifier 254b. The customer identifier 
preferably identifies a particular customer based on source 
address, physical port^ ox the like. The application identifier 
254b preferably is an internal identifier assigned by an 
application JEIAM' based on the type of application, associated with 
the packet. Exemplary applications include web applications f 
Voice over IF (VoIP) applications, and the like. 

A next police ID 256 preferably allows nested lookups in 
the policing database to identify additional policy groups 
applicable to the packet. The policing data 252 associatod with 
those policy groups preferably are also retrieved for performing 
a rate check for the current packet. 

Each policing data 252 preferably depicts the current 
bandwidth as well as the bandwidth limits of each policy group 
identified by the police ID 2S4. A Drop balance 252c and a Drop 
Eligible (DB) balance 252d preferably maintain counts of the 
amount of traffic flowing through the packet switching 
controller. The Drop and DE balances 252c, 252d preferably are 
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respectively compared against a Drop and DE limits 2S2e, 252f 
for recommending that the c\jrrent packet be forwarded, forwarded 
with 51 DB marking/ or dropped immediately. The Drop balance 
252c preferably is not Incremented until the DE balance 252d is 
greater than a DE limit 252 f. 

Each policing data 252 preferably further includes a 
timestamp 252b Indicative of a time at which a last balance 
calculation was done. Given a current time and the timestamp 
information, an elapsed time from the last balance calculation 
may bo measured for cttlcuiating a rate of traffic during this 
tims- The size of the timestamp incremonts may be adjueted 
based on a budget (CIR) 252a value also maintained in the 
policing data table 250. For example, the budget value may be 
defined as bytes per timestamp increment in one embodiment of 
rhe present invention. 

In the illustrated policing data table 250, the policing 
engine preferably parforms a rate check 256 or 260 based on a 
first police ID to produce a first policy result indicating the 
recommended disposition of the packet. The policing engine 
preferably further determines if the packet is to be policed 
based on additional policy groups. In doing so, the policy 
engine preferably examines the next police ID field 256 and 
retrieves the policing data identified by the ID. A second rate 
check 2 62 preferably is then performed on the same packer ro 
produce a second policy result based on the second rate chock. 
Additional rate checks may continue to be performed based on 
values on the next policy ID field 256. In one ©sibodiment of 
the present invention r up to four policing algorithms may be 
executed for each packet while maintaining line rate 
performance. In other embodiments, more or less than four 
policing algorithms may be exeeutad. 

FIG. 8 is an exemplary flow diagram of a multi-level 
policing process. The process starts ^ and in step 300, the 



2002-44150 



policing engine preferably receives a new police ID for an 
incoming packet. In step 302 the policing engine preferably 
retrieves th© policing datfi aaaociated with the police ID. In 
Step 304, the policing engine preferably calculates a new Drop 
or DE balancer preferably according to the following formula: 

BalancBrtftw - Balanceoia- [budget* (time-tiinestamp) ]+ packetsiae 

In the formula, Balancen^w and Balanceou preferably 
represent new and current balances, respectively, for either the 
Drop bucket or DE backet associated with the police ID. Budget 
preferably represents budget 252a, e.g., CIR, associated with 
the police ID. The current Drop and DE balances correspond to 
DROP BAL 252c and DE BAL 252d, respectively. Time and 
timestamp, respectively, preferably represent current time and 
timestamp 252b associated with the police ID. Packetsite 
preferably representsi si:?© of the packet being processed. 

In step 306, the new Drop balance or DE balance is applied 
towards the Drop limit 252e or DE limit 2S2f. The balance 
preferably is applied towards the DE balance . until the DE limit 
has been exceeded. The policing engine preferably compares the 
DB balance against the DE limit and preferably determines that 
the packet is to be forwarded if the DE balance is less than the 
DB limit. If the DE balance «xceads the DB limit, the balance 
preferably is applied towards the Drop balance. The policing 
engine preferably then compares the Drop balance against the 
Drop limit, and preferably determines that the packet is to be 
forwarded with a DB marking if the Drop balance is less than the 
Drop limit. However, if the Drop limit has been exceeded, the 
policing engine preferably determines that the packet is to be 
discarded immediately. 

For example, in practice, the new balances preferably are 
calculated and then compared against the DB and Drop limits to 



#IS 2002-44150 



determine forwarding status. The balances preferably are 
updated based on the forwarding result- For example, if the 
packet is marked Forward, the DB balance preferably is updated. 
In other words, when the packet is marked Forward, the DE 
bucket, such as, for example, the first bucket 200 of FI(S- 6, 
preferably is filled. For further example, if the packet is 
marked DE, the Drop balance preferably is updated- In other 
words, when the packet is marked DE, the Drop bucket, such as, 
for example, the second bucket 202 of FIG. 6, is filled. At 
this point, the DE bucket is already full. For. still further 
eKamplei if the packet is marked Drop, neither the DB balance 
nor the Drop balance is updated since both buckets are full at 
this point. 

In step 308, a determination . is made as to whether there 
are additional police IDs indicated for the current packet. If 
there are, the process returns to step 302 to retrieve the 
policing data identified by the additional police IDs and to 
produce additional policy results. 

In step 310, the policing engine preferably notifies a 
disposition engine, such as, for example, the disposition engine 
144 of FIG- 4, of the policing results, which may also be 
referred to as policing recommendations. In the event that 
multiple policy results are available for the packet being 
processed, the policing engine preferably selects rhe most 
conservative policing result, i.e,, worst case policing result, 
and preferably returns that result to the disposition engine- 
The disposition engine preferably uses the police results and 
other disposition recommendations, e.g., security recommendation 
and pa tt«rn match result, no generate a disposition decision. 

In step 312, tho policing engine preferably receives 
notice from the disposition engine of the disposition decision. 
The disposition decision may include the decision on whether the 
packet was forwarded, forwarded with a DE marking, or dropped. 
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In step 314/ the policing engine preferably determines whether 
the pacKet was forwarded. If it was, each policing data 
associated with the forwarded packet is updated in step 316 to 
reflect an increased traffic. 

The values updated in the police database preferably 
include one or mors of the DE balance, the Drop balance and the 
timestamp. The DE balance preferably is updated if it is less 
than the DE limit. The Drop balance preferably is updated if 
the DE balance is greater than the DE limit and the Drop balance 
is less than the Drop limit. If lioth balances are over their 
respective limits, then preferably neither is updated. In any 
case, it is desirable to not add the Vpacket size' (size of the 
packet) value to either balance if the packet/ e.g», frame, is 
dropped for any reason as indicated by the disposition decision, 
for example;. This way, an accurate count preferably is made of 
the packets coming into the switching fabric. 

IV. Flow Rate Policing with Deferred Debiting 

In one embodiment of the present invention, deferred 
debiting preferably is used with flow rate policing. PIG. 9 is 
a block diagram 400 of a packet switching controller having flow 
rate policing with deferred debiting in this . embodiment of the 
present invention. The deferred debiting may be used in 
conjunction with the multi-level policing logic. 

As shown in FIG. 9, a field extractor 402 receives 
packets, provides flow information to generic decision logic 408 
and deferred debit policing logic 410, and provides the packet 
to a packet size calculator 404.. The packet size calculator 404 
provides output to a packet size buffer. 406 and provides the 
packet to a packet buffer 412. The generic decision logic 408 
and the deferred debit policing logic 410, respecrlvely, provide 
a generic decision result and a policing result to disposition 
logic- 414, which provides a disposition result to the packet 
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buffer 412. The disposition logic 414 also provides the 
dispoaition result to the deferred debit policing logic 410, 
which uses th© disposition result and the packet size 
information for deferred debiting. 

now rate policing has become increasingly important in 
data communication networking as customers entitled to different 
qualities of service compete for shared network bandwidth. Flow 
rate policing typically involves comparing packets within a flow 
against one or more bandwidth contracts defined for the flow to 
resolve whether ..to: (i) admit the packet without conditions; 
(li) admit the packet with conditions (e.g. mark the packet 
discard eligible); or (ill) discard the packet. 

Flow rate policing schemes typically maintain a token 
bucket'' to express the currently available bandwidth under each 
bandwidth contract. Typically, a packet is deemed to be within 
a flow's bandwidth contract if there are presently enough tokens 
In the bucket maintained foa? the contract ? a packet is deemed 
to exceed the contract if there are not presently enough tokens 
in the bucket maintained for the contract. Tokens are added to 
the bucket as time elapses via time credits? tokens are 
subtracted from the bucket as packets are admitted via packet 
si£Q debits. 

A common expression used to maintain token bucket state 

is: 

TCn^v ^ TCcXd + C - D 
where 

TCneii « new token count 
TCoid - old token count 
C sa time credit 
D « size, debit 

A single instance of the token bucket state expression may 
be applied to effectuate simple admit/discard policing decisions 
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as follows. When a packet within a flow arrives for a policing 
decision, a new token count TCnew for the flow's bandwidth 
contract is calculated by adding a -cime credit C reflecting the 
elapsed time since the policing decision on the previous packet 
and by subtracting a size debit D reflecting the size of the 
current packet. The new token count TCneu for the flow's 
bandwidth contract is then compared with zero. If the new token 
counx TCnew is greater than or equal to zero, the current packet 
is within the bandwidth contract. and is admitted. If the new 
token count TCrc is less than aero, the current packet exceeds 
the bandwidth contract and is discarded. 

Two instancesf of the token bucket state expression may he 
applied to the same flow to provide more sophisticated policing 
decisions. For . instance, a discard token bucket and a discard 
eligible roken bucket may be separately maintained for a flow- 
In that event. If the new discard xofcen count TCr,mi-d« is greater 
than or equal to zero but the new discard token count TCnew-d is 
less than zeroi the current packet is within the discard 
bandwidth contract but exceeds the discard eligible bandwidth 
contract. Accordingly, the current packet is admitted (since it 
is within the drop bandwidth contract) subject to the condition 
that it be marked as discard eligible (since .it exceeds the 
discard eligible bandwidth contract). Such a three-level ''dual 
token bucket" policing schejtva is described in IETF Request for 
Comment 2697 entitled ''A Single Rate Three Color Marker". 

Applying the token bucket state expression to police high 
speed data flows in state of the art packet switching 
controllers has met with some practical difficulty, particularly 
with regard to the teaching to subtract the size debit D 
reflecting the size of the curgrent packet prior to making the 
policing decision. First, the current packet's size may be 
determined external to the policing logic • Thus, the size debit 
D for the current packet may not be available at the time the 
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policing decision is made. Second, the policing decision alone 
may not dicrate rhe final disposition of the packet. Thus, 
deduction of the eise debit D for the curreni: packet may require 
later reversal. Third, the size debit D for the current packet, 
if deducted prior to making the policing decision^ will result 
in. the current packet being found to exceed a bandwidth contract 
even though there are enough tokens in the bucket to accoxranodate 
most (but not all) of the packet. 

On the other hand, the practical benefit of deducting the 
size debit D for the current packet prior to making i:he policing 
decision is not. clear, since in high speed tiontrollere the data 
transfer. rate is exponentially larger than the maximum packet 
size. At most a nominal and temporary violation of the 
bandwidth contract for a flow will occur as long as the size 
debii: D Is made within a reasonable time thereafter- 

in this embodiment of the present inventionr deferred 
debiting preferably is used to overcome the above difficulties 
in applying the common token bucket state expression to police 
high speed data flows. 

For example, a data policing method may be provided. The 
data policing method preferably includes: receiving a packet; 
adding a time credit to a first token count to generate a second 
token count; applying the second token count to generate a 
policing result for the packet; and aipplying the policing result 
for the packet to subtract or not a size debit from the second 
token count to generate or not, respectively, a third token 
count • 

The data policing method may further comprise: , receiving 
a second packet; adding a time credit to the second token count 
to generate a fourth token count; and applying the fourth token 
count to generate a policing result for th« second packet. 

Another data policing method may also be provided- This 
data policing method preferably includes: receiving a packet; 
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adding a time credit to a first token count to generate a second 
token couni:; applying the second token count to generate a 
policing resuli: for the packet; applying the policing result for 
the packet to generate a disposition result for the packet; and 
applying the disposition result for the packet to subtract or 
not a size debit from the second token count to generate or' not, 
respect ivelyr a third token count. 

In this .data policing method, the police result may be 
applied as a recojnmendation with at least one other 
recoiianendafcion to genera-fce the disposition result for the 
packet. 

Yet another data policing method preferably includes: 
receiving a packet; adding a time credit to ones of token counts 
to generate respective ones of second token counts; applying the 
ones of second token counts to generate a policing result for 
the packet; and applying Che policing result for the packet to 
subtract or not a size debit from at least one of the second 
token counts to generate or not, respectively ^ at least one 
third token count. 

Still another data policing method preferably includes: 
receiving a packet; adding a tiroe credit to ones of token counts 
to generate respective ones of second token counts; applying the 
ones of second token counts to generate a policing result for 
the packet; applying the policing rosult for the pacfcei: to 
generate a disposition result. for the packet; and applying the 
disposition result for the packet to subtract or not a size 
debit from at least one of the second token counts to generate 
or not, respectively, at least one third token count. 

The following dara policing methods further illustrate 
flow rate policing with deferred debiting In one embodiment of 
the present invention. 

A data policing method preferably includes: receiving a 
packet; adding a time credit to a first token count to generate 
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a second token count; applying the second token count to 
generate a policing result for the packet; and applying the 
policing result to subtract or not a size debit from the second 
token count to generate or not, respectivelyr a third token 
count . 

The data policing method preferably further includes i 
receiving a second packet; adding a time credit to the second 
token count to generate a fourth token count; and applying the 
fourth token count to generate a policing result for the second 
packat . 

Another data policing method preferably includes: 
receiving a packet; adding a time credit to a first token count 
to generate a second token count; applying the second token 
count to generate a policing result for the packet; applying the 
policing result to generate a disposition result for the packet; 
and applying cJne disposition result to subtract or not a size 
debit from th«i second token count to generate or not, 
respectively / a third token count. The police result may be 
applied as a recommendation with at least one other 
recommendation to generate the disposition result. 

Yet another data policing method preferably includes: 
receiving a packet; adding a time credit to ones of token counts 
to generate respective ones of second token counts; applying the 
ones of second token counts to generate a policing result for 
the packet? and applying the policing result to subtract or not 
a size debit from at least one of the second token counts to 
generate or not, respectively, at least one third token count. 

Still another data policing method preferably includes: 
receiving a packet; adding a time credit to ones of token counts 
to generate respective ones of second token ..counts; applying the 
ones of second token counts: to generate a policing result for 
the packet; applying the policing result to generate a 
disposition result .for the packet; and applying the disposition 



mm2 002-44150 



result to subtract or not a size debit from at least one of the 
second token counrs to generate or not, respectively, at least 
one third token count. 

Although this invention has been described in certain 
specific embodiments, those skilled in the art will have no 
difficulty devising variations which in no way depart from the 
scope and spirit of the present invention. It is therefore to 
be understood that this invention may be practiced otherwise 
than is specif ically . described. Thus, the present embodiments 
of the invention should be considered in .all respects as 
illustrative and not restrictive^ the scope of th« invention to 
be indicated by the appended claims and their equivalents rather 
than the foregoing description- 

4. Brief Description of Drawings 

FIG. 1 illustrates a network environinent including a 

packet switching node in which one embodiment of tlx© present 
invention is used* 

PIG- 2 i» a block diagram of a switching interface in one 
embodiment of the present invention. 

PIG, 3 Is a block diagram of a programmable packet 
switching controller in one onbodiment of the present invention? 

FIG. 4 is a block diagram of a packet switching controller 
with programmable disposition logic in one embodiment of the 
present invention* 

FIG- S is a flow diagram of a process ot programmarlcally 
generating a disposition decision using multiple disposition 
recommendations and classification information in one embodiment 
of the present invention. 

. PIG. 6 is a block diagram illustrating the process of 
marking packets into different classifications. 

PIG. 7 is a policing data table used for policing data 
packets based on multiple policy levels in one embodiment of the 
present invention. 

F1G» 8 is a flow diagram of multi-level policing process 
in one embodiment of the present invention, 

FIG, 9 is a block diagram of a packet switching controller 
having flow rate policing with deferred debiting in one 
embodiment of the present invention. 
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Fig. 5 
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Fig. 8 
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Fig. 9 
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1. Abstract 

A switch includes a backplane and multiple packet 
processors. One or more packet processors include multi-level 
policing logic. The packet processor receives a packet and 
classifies the packet into multiple policeable groups. The 
packet is compared against bandwidth contracts defined for the 
policeable groups. Nested lookups are performed for the packet 
in a policing database to identify thss multiple groups and to 
retrieve policing data for the multiple policoabXa groups. The 
policing results, vhich may be combined into a single policing 
result by talcing the worst case policing result, are applied to 
dieposition logic as recommendations, and are combined with 
other disposition recommendations to make a disposition decision 
for the packet* 



2. Representative 
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